The General Data Protection Regulation (GDPR) is one of the world's toughest privacy and data protection laws, yet few organizations completely comply with its statutes. The GDPR generally regulates countries within the European Union (EU) and European Economic Area, but its framework has been adopted in many important data privacy laws around the world.
Complacency is dangerous territory. Non-compliant entities could be fined up to £18 million or 4% of annual global turnover (whichever is greater). As of 2018, the Information Commissioner’s Office (ICO) enforces GDPR standards.
This post outlines the standards set by the GDPR and provides a checklist to help organizations remain compliant.
What is the General Data Protection Regulation (GDPR)
The GDPR is a product of the European Union’s (EU) audacious data protection reform. The strict privacy standards were put into effect on May 25, 2018, to protect the rights of individuals. This cybersecurity framework aims to protect the personal data of all people in the European Union.
The GDPR updates the 1950 European Convention on Human Rights to make it relevant for the digital age. Article 8 of the convention states that everyone has the right to respect their private family life. In the analog era that birthed this article, the boundaries between public and private life were bold and easily identified. Today, they’re ambiguous and blurred. Without a clear and enforced standard like the GDPR, customers can never be confident that their private data, and therefore their private life, is being respected.
To complement the risk mitigation efforts of the GDPR, the Prudential Regulation Authority outlines its third-party risk management standards in the Supervisory Statement SS2/21.
What is Considered Personal Data Under the EU GDPR?
According to Article 4 of the GDPR, personal data is defined as any information that relates to an identified or identifiable natural person. In other words, personal data is any data that is linked to the identity of a living person.
Personal data is format-agnostic to include images, video, audio, numerals, and words. This doesn’t only include direct associations, such as financial information and addresses, but also indirect links, such as evaluations relating to the behavior patterns of a person.
Inaccurate information relating to data subjects is still considered personal data because this information is linked to an identity. If, however, the information is associated with a fictional entity, it’s not considered personal data. For example, if you refer to a fictional character residing in a fictional location, that is not considered personal data.
Learn more about personal data >
Who Does the GDPR Apply To?
The GDPR impacts any organization that offers goods and services to people in the EU. This includes entities that are not located in the EU. If you run a business online, you never know for certain whether the people you transact with are located in the EU. For this reason, all online businesses should be GDPR-compliant as a protective measure.
Personal data is funneled into two categories - those that control the data and those that process the data (controllers vs. processors).
The GDPR defines a controller as any individual, public authority, agency, or another body determining the purpose and processing of personal data. Controllers decide how personal data is processed.
For example, a music school uses a digital screen to notify parents in the waiting room when each teacher is ready. The screen displays the name of each child and the room number of their music lesson.
The music school is classified as the “controller” of personal data since it decides how the notification system should process all of the data.
The GDPR defines any individual, public authority, agency, or another body that processes personal data on behalf of a controller. Because processors carry out the data processing rules set by the controller, they don’t make decisions about how personal data is handled.
For example, a software company hires a marketer for an upcoming email campaign. The marketer is supplied with the names and email addresses of all leads so that personalized cold emails can be sent to each one.
The software company is classified as the controller of personal data since it determines how the data should be handled. The marketer is classified as the “processor” since they carry out the software company’s data processing instructions.
Even though processes follow controller instructions, they are still expected to be GDPR compliant alongside processes because they handle personal data.
10-Step Checklist to be GDPR-Compliant
The following GDPR-compliance checklist will help businesses assess their current GDPR compliance status and reform poor data handling practices to become more compliant. Becoming GDPR-compliant will help businesses formulate their decision-making processes and build better information security measures to safeguard personal data.
1. Know All of the Data Your Business Collects
If you don’t know how personal data flows through your internal systems, you don’t know how it is controlled. Here’s a simple 7-category framework for mapping all data sources with an example of an ebook download process:
- Ebook download form
- Full name.
- Email address.
- Business name
Reason for data collection
- Creating sales leads
How is collected data processed?
- Stored in the Mailchimp database.
- Accessed by internal email marketers.
When is the data disposed of?
- All unsubscribed leads are manually deleted from Mailchimp every 30 days.
Do you have consent to collect this data?
- Yes, the ebook download form included a message saying that all entries are added to the email list.
Does the collected data include sensitive information?
- Yes, full names and associated email addresses.
This filtration protocol should be applied to all internal data until you can confidently map the lifecycle of all data feeds.
Because the GDPR is focused on sensitive data protection, it’s important to identify all instances and classify each record by level of sensitivity.
The higher the data sensitivity, the easier it is to identify and compromise an individual. Personally Identifiable Information (PII) is considered very sensitive and should be defended with the highest level of cybersecurity.
Are IP addresses classified as personal data?
IP addresses are classified as personal data if they can be linked to the identity of a person. For example, if a user’s IP address is collected alongside their email address, that would be considered personal data because the person's identity is linked to their email address.
All personal data in the EU is strictly subject to GDPR compliance. If you're unsure if the IP addresses you collect are classified as personal data, refer to the supervisory authority in your EU state.
2. Appoint a Data Protection Officer (DPO)
Article 37 of the GDPR states that both controllers and processes need to appoint a Data Protection Officer (DPO) to oversee the data protection strategy. Note that even processes are expected to have a data protection strategy even though they’re just following data handling instructions set by processors.
According to the GDPR, an organization must appoint a DPO or any data protection authority if any of the following conditions are met:
- If a public authority processes the data
- If collected data undergoes systematic monitoring
- If collected data is processed at a large scale
- If “special categories” of data are collected (profiling data, such as race, ethnicity, health information, biometric data, political affiliation, religion, etc.)
It’s important to note that the GDPR doesn’t define what “large scale” is. Because of this ambiguity, many organizations appoint DPOs to be safe.
Organizations should appoint DPOs where their data processing operations are centralized, even if it’s located outside the EU. If an organization is located in the EU, a DPO should be stationed in the member state of the company’s headquarters.
Ideally, the DPO should speak the same languages as the GDPR regulators in that state. This will help organizations understand, and therefore comply with, the GDPR nuances of that state.
Article 39 of the GDPR says that a DPO should be capable of completing the following duties:
- Confidently advising both controllers and processes of best GDPR compliance practices
- Monitoring data handling to ensure GDPR compliance
- Provide accurate advice about data protection impact assessments
- Act as the primary point of contact for all data processing inquiries
- Act as the primary point of contact between the company and GDPR regulators
- Have a clear understanding of all the potential risks associated with different processing operations
To effectively carry out these responsibilities, a DPO should possess expert knowledge of GDPR laws and best practices. To support the efforts of DPOs, organizations should adopt an attack surface monitoring solution to identify vulnerabilities that could be exposing processed data.
3. Create a GDPR Diary
A GDPR diary, or a Data Register, is a comprehensive record of how an organization practices GDPR compliance. This would need to be created after identifying the data sources (point 1 in this list).
A GDPR diary should map the flow of data through your organization. The more details that can be included, the better. In the event of an audit, the GDPR diary will serve as proof of compliance. If your organization suffers a data breach while instituting a compliance framework, the GDPR diary can be used as proof of progress toward improved data security.
A third-party attack surface monitoring solution helps organizations identify and remediate all data breach vulnerabilities in their vendor network. The early implementation of such a solution demonstrates an organization's dedication to protecting customer data.
4. Evaluate Your Data Collection Requirements
To be GDPR compliant, organizations should only collect data that is absolutely necessary. Accumulating sensitive data without a compelling reason will signal alarm bells for the supervisory authority monitoring your compliance.
All data requirements should be scrutinized through a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA). These impact assessments are mandatory when the data collected is highly sensitive.
The classification of “sensitivity” is, at times, subjective. To avoid confusion, here are some instances that would require the completion of a DPIA.
- When your organization is utilizing new technology
- If you’re tracking the location of individuals
- If you’re tracking the behavior of individuals
- If your data is associated with children
- If you’re using data for automated decisions that could have legal consequences
- If you’re monitoring publicly accessible areas
- If you’re processing personal data such as:
- Religious views
- Ethnic origins and identities
- Political opinions
- Genetic data
- Biometric data
- Philosophical beliefs
- Health records
- Sexual orientations
Data Protection Impact Assessment (DPIA) Template
The Information Commissioner's Office for the UK has created a DPIA template that can be used as a guide for data protection assessments. This template provides a deeper context into the activities that require a DPIA to help you decide whether your particular processing activity requires an assessment.
5. Instantly Report Data Breaches
Immediate data breach notification is a mandatory GDPR requirement. According to article 33 of the GDPR, both controllers and processors need to report data breaches within 72 hours.
The hierarchical reporting structure is as follows:
Processors need to report data breaches to controllers, and controllers need to report to a supervisory authority.
A supervisory authority, also known as a Data Protection Association or DPA, is responsible for monitoring and enforcing GDPR compliance. They are also the primary contact for all GDPR inquiries for an organization.
Supervisor authorities are usually located in the EU state where an organization is based. The GDPR empowers DPAs to impose non-compliance fines on both controllers and processors.
6. Be Transparent About Data Collection Motives
Your customers need to be aware of all the data you’re collecting about them. Clandestine data collection will only lead to a hefty non-compliance fine.
Data collection acknowledgment must be clearly displayed at every data collection point - before any data is collected.
Here are some common website locations that display data collection notifications:
Website forms should clearly state how all collected data will be used. Avoid complex phrasing or the use of jargon, your messaging should be clear and concise.
Pre-ticked consent boxes are not permitted. Individuals should always be aware that they consent to data collection.
Cookie collection notices
The GDPR classifies cookies that identify users as personal data collectors. As a result, they need to be regulated. Organizations can still use cookie data provided that they meet the following GDPR requirements:
- Organizations must clearly specify how cookie data will be used
- All user consent must be documented and stored
- Website access should not be impeded if cookie use consent is not provided
- Users should have the ability to seamlessly withdraw cookie use consent
Here’s an example of a cookie notice that specifies how cookie data will be used. This notice allows users to be in complete control of the specific cookie data they are willing to relinquish.
7. Verify the Ages of All Users Consenting to Data Processing Activities
The GDPR only permits personal data processing for persons at least 16 years of age. To lawfully collect personal data from individuals younger than that, consent must be given by the holder of parental responsibility for the child.
If there's a chance that EU citizens under the age of 16 will be engaging with your website, you must incorporate an age verification process to verify the age of users before collecting any data. If personal data processing of underaged users is required, a separate parental consent process is required.
8. Include a Double Opt-in for All New Email List Sign-Ups
To confidently acknowledge that all of your subscribers have consented to sign up to your email list, you should include a double opt-in process for all new sign-ups.
When double opt-in is enabled, a person is not added to an email list until they confirm their consent twice. The first consent happens when the signup form is completed, and the second consent occurs when a user clicks the confirmation link in the email that’s automatically sent to them after filling out the form.
The GDPR does not explicitly state that a double opt-in process is mandatory, but it is highly recommended. By implementing a double opt-in for all new email sign-ups, you’re further verifying that users are consenting to relinquish their data, which demonstrates your dedication to the data protection standards set by the GDPR.
10. Regularly Assess All Third-Party Risks
The GDPR expects organizations to be continuously aware of all security risks and to have remediation efforts in place for each of them. To effectively meet these requirements, organizations should implement a security scoring and risk assessment solution - ideally, GDPR-specific risk assessments.
UpGuard VendorRisk represents the security risk of each vendor with a security score. This empowers organizations to perform their vendor due diligence by instantly identifying and assisting in the remediation of all of the security vulnerabilities of each vendor. Vendors with poor security ratings are classified as high-risk, which helps organizations prioritize remediation or change vendors.
VendorRisk also includes a comprehensive library of risk assessments, including a GDPR standard security questionnaire, to ensure all third parties remain compliant.
The key to a secure ecosystem is to consistently monitor for vulnerabilities and immediately remediate them. If your organization doesn’t have the necessary expertise or resources for such a dedicated effort, world-class CyberResearch analysts can manage the complete scope of your vendor security on your behalf.
UpGuard Helps Businesses Remain GDPR Compliant
UpGuard helps businesses maintain GDPR compliance by identifying and addressing specific security vulnerabilities impacting the regulation. Using our prebuilt GDPR questionnaire, businesses and organizations can begin to assess their own GDPR compliance, as well as any third parties they work with within their supply chain.
UpGuard also empowers businesses to track third-party compliance against popular regulations by mapping risk assessment responses to security controls. This identifies any compliance gaps placing third-party at a heightened risk of regulatory fines and data breaches.