What is GDPR?

GDPR fines can wind up costing your organization up to $24 million dollars. Learn how to prevent hefty GDPR penalties and remain GDPR compliant.

GDPR Meaning

GDPR stands for General Data Protection Regulation. It is a set of legal requirements that sets the guidelines for how personal information from individuals living in the European Union is collected and processed. The new privacy regulations apply to all websites that are frequented by European visitors.

As of May 2018, all businesses in the European Union must comply with the GDPR data protection act regulations for data storage or be met with hefty fines. Just to put things in perspective, Google holds the record for largest GDPR fine to date at €50 million or $56.6 million. 

What’s even worse is that this fine could have been avoided had the search giant only provided more information on how their data was being processed in their privacy policies. Lack of transparency must be avoided to prevent costly mistakes such as the case with Google.

Looking for a GDPR Compliant Cybersecurity Solution ?

How to be GDPR Compliant?

To be in GDPR legal compliance, organizations must inform individuals of data being collected about them. The GDPR rules for websites are the same as any brick-and-mortar business in operation.

●     The organization must disclose what information is being collected, the purpose for it, and where the information is being stored.

●     Organizations must comply with government policies for monitoring and recording and demonstrate accountability.

●     Organizations must gain consent to collect personal information and may need to request it again for updates.

●     Someone must be in control of this data and safe-keeping it. Organizations may need to appoint a Data Protection Officer (DPO) to oversee these processes and report events.

●     Establish policies and processes for reporting breaches. Businesses should put processes in place for detecting, investigating and reporting data breaches and have a plan for responding to threats.

Organizations must make a copy of this information available on request to the person whose information is being kept. The data controller must inform them of a breach in security.

This process also allows the customer of a business the option of opting out of being added to a mailing list. The GDPR also adds a  ‘right to be forgotten’ process, which grants additional rights to people who no longer want their information collected and stored. They may be able to have it deleted, provided there is no longer a reason to keep it.

It requires the websites to disclose to visitors that general data about them is being collected and requires their content to share that information with other parties.

This is to protect sensitive data in case of a data breach. Websites collect what is referred to as cookies, which are small files containing personal information like site settings and preferences.

The GDPR key provisions are designed to improve data collection and prevent misuse and security breaches that jeopardize personal privacy.

Visitors must have access to contact information for the Data Protection Officer (DPO) and other staff regarding access to their information and to exercise their rights under the data protection act.

This includes the right to have their data deleted, if necessary. The DPO must be appointed or another staff member to carry out customer requests.

GDPR Fines and How To Prevent Them

Penalties levied against a company that does not comply with GDPR can range from mild to severe, depending on the infraction. Businesses in the EU have had two years to get up to speed with the GDPR policies. A GDPR non compliance fine is normally reserved for serious offenses and could face a maximum fine of €20 million Euros.

Depending on the policy not being followed, the business or organization may:

●      Be issuing a warning or reprimand

●      Be subject to a ban on data processing (temporary or permanent)

●      Be subject to restriction or erasure of data

●      Be prevented from making data transfers to third countries

For serious violations or infringements, the EU GDPR sets a fine at $20 million or 4% of global annual revenues  – whichever amount is greater.

A perfect example of this is the British Airways GDPR fine.

British Airways received one of the biggest GDPR fines so far at £20 million by the UK’s data protection authority over a failure to protect data, which enabled unauthorized parties to access personal and payment card information of more than 400,000 of the airline’s customers.

The original fine was actually larger but was reduced due to mitigating circumstances due to the pandemic.To prevent GDPR fines, all a company has to do is to make sure they are in compliance with the new regulations and follow all the steps in reporting a GDPR confidentiality breach.

Looking for a GDPR Compliant Network Security Solution?

European Privacy Laws

GDPR applies to any organization operating in the European Union.  In 1995, the EU passed the European Data Protection Directive with a focus on establishing higher security standards for data privacy. 

The Directive (EU) 2016/680 which protects individuals with regard to the processing of their personal data took effect on May 5th, 2016 under the European data protection. Countries in the European Union must abide by these laws or face stringent penalties in the collection of data. 

The European Data Protection Board (EDPB) helps keep GDPR regulations up-to-date and acts as a mediator between disputes.

What is The Data Protection Act?

Data Protection Act 2018

The Data Protection Act 2018 provides organizations guidance and best practices on how to use personal data. Organizations responsible for personal data must follow strict guidelines known as the data protection principles. These rules state that personal information must be: 

  • Used transparently and lawfully 
  • Held no longer than is necessary 
  • Kept accurate and up to date
  • Used for specific purposes
  • Handled in an appropriate manner

It is an organization’s responsibility to keep all forms of data secured. The following is a data security checklist any businesses can follow to remain in compliance with the DPA:

  • Ensure password encryption and protection be used when transferring sensitive data. For example, the transmission of highly confidential data from a USB to a laptop. 
  • Businesses must make sure that their offices are fully locked when no one is there. Many companies have biometric forms of identification when entering the door and security codes in place when unattended.
  • Always log off from your computer when not in use to prevent unauthorized personnel from accessing sensitive information.
  • Change your password frequently and require all staff to do the same as well.

What is The Role of The ICO in GDPR?

The ICO or Information Commissioner’s Office is the UK’s data watchdog responsible for promoting good practices and upholding data protection privacy laws in regards to GDPR. The ICO is responsible for resolving disputes, conducting investigations into data breaches, and in taking appropriate action when an offense is committed under the GDPR regulations.  

The ICO also issues severe fines for companies in violation of the rules. In 2018, tech giant and social media powerhouse, Facebook, was fined £500,000 by the ICO following the Cambridge Analytica data scandal. Since January of 2021, GDPR fines have risen by nearly 40% with penalties under the GDPR totaling over €158.5 million. 

The ICO has recently launched a regulatory sandbox where organizations can test products and services against data protection laws, however, it is still in the beta phase. You can learn more about the ICO here including the latest news, how to file a complaint or report a data breach.

What Are The 7 Principles of GDPR ?

These are the basic GDPR compliance principles which must be followed by businesses operating in EU member states or engaging with customers residing there. The basic principles are:

Lawfulness, fairness, and transparency – There must be a valid reason for requesting and storing personal information. You also must be truthful about what you will use the data for. Transparency is very important under the new regulations. You must have data protection policies and explain the processes you use to safeguard your customer’s private information. It also applies to employee and vendor information as well.

Purpose limitation –When collecting personal information, you need to be clear about why you’re collecting information and the purpose of it. You must be clear about everything, and if the information will be used for more than one purpose, you must explain everything it will be used for and obtain consent from the individual to use it.

Data minimization – Data should only be collected to fulfill a stated purpose, or be relevant or necessary to process a customer’s order. You shouldn’t ask for or store information that is not needed for the process to be completed. The bare minimum should be all that is required.

Accuracy –The information being collected and held should be accurate. If there are any mistakes, it needs to be corrected. Frequently update the information to ensure accuracy. If you discover an inaccuracy, you should take steps to correct it or delete the data entirely. Accurate information is important for reporting to government agencies. Penalties can be given for inaccurate facts published.

Storage limitation – You should be able to justify holding onto data past a certain point. It should be kept only as long as it is needed. Once it is no longer needed, it should be deleted or erased.  It is a good idea to frequently update and prioritize data for its intended purpose. Deleting data that is no longer useful keeps that data safe from online threats.

Integrity and confidentiality – When storing data, you should have security measures to protect that data from outside parties. Keeping your customers’ private information confidential is of the utmost importance. Integrity and confidentiality relate to trustworthiness. Websites that follow the GDPR compliance checklist are more trustworthy and safer when it comes to sensitive data storage.

Accountability – You should have accountability for the information you are responsible for. Private data can be misused, lost, or deleted accidentally. There should be someone overseeing this process to ensure its security.

This process also allows the customer of a business the option of opting out of being added to a mailing list. The GDPR also adds a ‘right to be forgotten’ process, which grants additional rights to people who no longer want their information collected and stored. They may be able to have it deleted, provided there is no longer a reason to keep it.

Article 12.3 describes the GDPR 30-day rule. Companies must provide information outlining the actions that will be taken by the organization upon receiving a request for the erasure of data. This timeline can be extended to 60 days if needed.

The GDPR protection principles apply to all businesses and consumers in the European Union and visitors to websites that do business with EU visitors. The protections put in place ensure the secure collection of a consumer’s private information while giving rights to consumers over how their information is used. Businesses and organizations are accountable for how information is stored and monitored, and how they respond when a threat is received.

Under the new data privacy law, visitors can refuse to allow “cookies” to track them, as well as other policies regarding mailing lists and other means of collecting personal data. The GDPR cookie consent is a new policy that requires visitors to consent to tracking cookies being used. In short, the GDPR applies to any company or business which processes personal information and operates in the European Union (EU).

GDPR also requires businesses to appoint someone to be in charge of securing the data and be accountable for storing and protecting the data collected, including reporting security breaches and informing consumers when they occur.

This includes some of the largest companies in the world, such as:

●      Walmart

●      Amazon

●      Apple

●      Starbucks

●      McDonald’s 

●      General Electric

●      Toyota 

●      Volkswagen

Personal Data Security Articles (Some Interesting Facts)

Article 9 GDPR refers to the processing of personal data that identifies an individual either by racial or ethnic origin, political opinions, biometric data, sexual orientation, trade union membership, or data regarding health status is prohibited.

GDPR article 4 gives definitions of what is considered personal data, processing, and data restriction.

Article 32 of the GDPR refers to the security of processing measures companies must take to secure data such as:

●      The pseudonymization and encryption of personal data;

●      The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

●      The ability to restore the availability, and access to personal data in a timely manner in the event of a physical or technical incident;

●      A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

There are 99 general data protection regulation articles outlining an individual’s rights to privacy, and how data collection should be handled to ensure security and anonymity. The privacy articles communicate the requirements and expectations for secure data handling.

Data Protection Authority USA

When comparing US data protection laws vs. the GDPR, there are similarities but also differences. The General Data Protection Regulation that came into effect in May 2018, replaces the EU Data Protection Directive 95/46/EC, which no longer fulfilled the growing need for more personal privacy protection in the digital age. The GDPR focuses more on an individual’s right to privacy and control over how their personal information is used.

General Data Protection Regulation U.S.Laws are broken down into individual applications, instead of having one combined set of regulations like the GDPR. These include:

The Health Insurance Portability and Accountability Act (HIPAA), The Gramm-Leach-Bliley Act (GLB Act or GLBA), and  The Federal Information Security Management Act (FISMA). These work with state and federal government agencies to direct the use of personal information.

U.S. privacy laws do not directly focus on the individual’s right to privacy the way the GDPR does. However, there is a data protection framework between the EU and the US. 

It is known as the EU-US Privacy Shield Framework for transatlantic exchanges of personal data designed by the European Commission and the US Department of Commerce.

This is used when information is exchanged for commercial purposes between the two organizations.

Countries with Data Protection Laws

There are many data protection laws around the world. More than 120 countries have some form of data protection law. In the age of technology, having a form of global data protection means fewer hackers will be able to gain access to personal information, preventing identity theft and other internet crimes. 

Canada, for example, follows federal, provincial, or territorial statutes governing data protection and privacy. The most commonly followed one throughout the country is the Personal Information Protection and Electronic Documents Act or (PIPEDA) while the province of Alberta goes by the Personal Information Protection Act (PIPA) 2004. 

Each country has its own rules and regulations when it comes to the protection of data privacy. You can see a full list of Data Privacy Laws by Country here.

Looking for a GDPR Compliant Network Security Solution?

The GDPR protection principles apply to all businesses and consumers in the European Union and visitors to websites that do business with EU visitors.

The protections put in place ensure secure collection of a consumer’s private information while giving rights to consumers over how their information is used.

Businesses and organizations are accountable for how information is stored and monitored, and how they respond when a threat is received.

Under the new data privacy law, visitors can refuse to allow “cookies”to track them, as well as other policies regarding mailing lists and other means of collecting personal data.

In short, the GDPR applies to any company or business which processes personal information and operates in the European Union (EU). The GDPR cookie consent applies to all businesses.

What Constitutes a Breach of Data Protection

The GDPR outlines the definition of a data breach in Article 4 as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

A data or security breach could mean accidental disclosure of personal information to unauthorized parties. If someone outside the list of authorized parties intercepts and reads personally identifying information it constitutes a breach of security. Unauthorized access includes:

●      Cyber attacks

●      Malware

●      Equipment theft

●      Negligence

GDPR Individual Data Breach

In the event of a data breach, you must notify the ICO within 72 hours as soon as you have been aware of the incident. Failure to report the breach to the ICO right away may cause you to face harsh penalties up to £8.7 million or 2% of your global turnover if the breach escalates. 

Keeping a record of any potential breaches is absolutely essential. Collect all documentation surrounding the breach so that a thorough investigation may be conducted by an appointed ICO officer. Always backup all of your data to prevent data loss and potentially save you from thousands or even millions of dollars in penalties and other financial damages.  

A few helpful tips in preventing data loss:

  • Implement a secured Corporate VPN to keep your perimeters and network security safe from outside threats. 
  • Backup all of your data 
  • Create a disaster recovery plan for emergency situations

Grant user-based permissions or roles and enforce a Zero Trust least privilege access policy framework across your organization

How Does GDPR Affect Businesses

The rules and regulations of GDPR are constantly changing. Businesses will now have to comply with strict GDPR regulations or face severe penalties with fines reaching as high as €10 million for failure to comply.

Businesses of all sectors and industries dealing with private client data must adhere to GDPR and appoint a data protection officer (DPO) to enforce the rules in order to prevent hefty penalties. 

Organizations must be extremely cautious when dealing with confidential information. Be transparent with your customers and let them know what type of data you will be collecting. Some common examples of personal data collection include: 

  • Name
  • Email
  • Location
  • Browser history
  • IP address

All transmission of data should be fully encrypted. Avoid the collection of highly sensitive information such as race, sexuality, and political beliefs.   

Always make sure you have all of the details written in your Privacy Policy and be clear regarding what details you will be using and for what purposes.

Explaining GDPR To Employees

The employee data privacy policy GDPR works the same way for employees as the general public. Employee rights under GDPR are the same rights as any other individual. The same principles apply when collecting customer’s information. 

They must be informed that the data collected is minimized and relevant. Companies are only allowed to process what is required and no more. No unnecessary data is to be processed without the individual’s consent or lawful reason. Inform employees that this data is in line with legal regulations that they have agreed to adhere to.

Start with the basics, in securing employee passwords. GDPR password protection is crucial in preventing phishing attacks since almost 20% of all employees are likely to click on a phishing email link. 

  • Ensure that passwords are different, include numbers, symbols, lower and upper case letters and exceed 15 characters at the minimum. 
  • Provide efficient GDPR training for all employees. Set and define clear goals with your entire team and keep staff engaged through continuing education such as online courses. 
  • Make GDPR fun by using gamification techniques. Create interactive gaming models that will encourage staff and award leaders. Learning the rules and regulations of GDPR does not have to be so one dimensional after all.

GDPR Requirements for Websites

Some people may think that the GDPR privacy policy doesn’t affect them because they don’t live in the EU and member states. However, if you operate a website that caters to  EU customers, then this will affect you. A few helpful tips in keeping your website GDPR compliant: 

  • Cookies – Obtain clear consent when using cookies. Indicate the type of data you will be tracking (first-party cookies, third-party cookies). There should be a clear opt-in box detailing the explanation and use of cookies as stated in the Cookie Law. 
  • Plugins – Ensure that all plugins are GDPR compliant. This is important for all WordPress users. Although WordPress is GDPR compliant (from 4.9.6. version), it is your responsibility that each plugin can provide and delete user data it collects. 
  • Mailing Lists – It’s a good idea to clean your mailing list every six months to remove unengaged subscribers and emails that no longer exist. Email lists decline on average up to 30% each year due to poor email hygiene. Check your email database and begin a thorough cleanse. It’s also highly recommended to create double opt-ins so that users receive an extra email confirming their subscription.

It’s important to take precautions to avoid any costly penalties associated with GDPR compliance rules and regulations.

Facebook GDPR Policy

The Facebook GDPR states that the organization is committed to transparency, providing individuals with personal data protection, and being accountable for protecting that data from identity theft and other types of malicious intent.

To be in compliance with European privacy regulations, social media platforms would have to keep all the data it collects on users in the EU and under strict monitoring on data-sharing with outside parties.

GDPR for Cloud Service Providers

The GDPR requirements for cloud providers increase security and make service providers accountable for mistakes. Cloud computing makes processing data easier and faster due to advanced technology.

However, the service providers are required to adopt GDPR cloud security principles in data collection and storage as any other type of business.

Google Cloud Services GDPR

Google takes GDPR compliance very seriously. Services like Google Cloud are customer-focused tools that aim to provide secure data protection with complete transparency.

Google Workspace and Data Processing and Security Terms apply to Google Cloud. You can view the full Google Cloud & the General Data Protection Regulation (GDPR) documentation here.

Amazon AWS GDPR Compliance

Amazon and its service providers are in compliance with the GDPR regulations. In addition to their own compliance, they are offering to help their customers with GDPR compliance for their own businesses through additional services and resources.

Something important to note in regards to AWS GDPR compliance. According to Amazon, “AWS customers can continue to use AWS services to transfer customer data from the EEA to non-EEA countries that have not received an adequacy decision from the European Commission (including the United States) in compliance with the GDPR.”

AWS has over 500+ features and services that meet all security regulations. Have a look at the full documentation and FAQ section surrounding AWS GDPR compliance – so you can stay on top of all current GDPR regulations.

Microsoft Azure GDPR Compliance

Software giant Microsoft is another company that has adopted the GDPR compliance regulations. Azure users will want to check out the Azure Data Subject Requests for the GDPR and CCPA which explains the various GDPR requirements for all Microsoft products. 

Crucial information on GDPR for Office on-premises Servers can be found there as well – important for securing your remote workforce as well. They outline to their customers the services they offer that are in compliance with the European data protection law.

Looking for a GDPR Compliant Network Security Solution

Salesforce GDPR Implementation

The World’s #1 CRM is another major company that is in compliance with the new data privacy regulations. They have created a resource to help customers understand the GDPR rules and how Salesforce is implementing the new policy.

One great thing about Salesforce is Trailhead which simplifies the online learning process. You can also learn how to Implement a GDPR Compliance Program in Trailhead to remain GDPR compliant and up to date.

GDPR Email Marketing

There are 6 lawful bases listed in Article 6 that allow processing personal data.  The first on this list is consent. You must have permission from the individual to collect and store their personal information. That consent must be freely given and applies to children under the age of 13. Children can only give consent with their parent’s permission.

What is the impact of GDPR on email marketing? Email marketing is, and always will be, a way for businesses to remain in contact with customers and potential customers and market to them. This will not change. Only the policies regarding information and how it is stored changes.

Basically, the GDPR privacy policy states that you need to have consent from the individual whose data you are collecting, be very clear about what it will be used for, and keep accurate documentation of the consent that was given for its use. 

And, if in the future, the individual no longer wants to have their data on file, they have the right to ask for it to be removed [erased or deleted]. If there is no reasonable reason to keep it, companies must grant that request.

Many types of businesses collect a visitor’s personal data for an email list. This requires getting their consent to have their information stored in a database for future marketing campaigns. The GDPR email rules apply to personal and business work email addresses. Therefore, it applies to B2B, as well as B2C marketing.

How does GDPR affect businesses when it comes to email marketing? The GDPR does not ban or limit email marketing in any way. It just sets clear guidelines for fair and practical use. 

GDPR clarifies the meaning of consent, requires organizations to ask for permission to send marketing emails, and makes it easy for people to change their minds and opt-out when they no longer wish to be contacted.

GDPR email campaigns require consent from the individual receiving communications.A violation of the GDPR would be sending a marketing email to an individual that didn’t sign up for data protection mailing lists, represents a service outside of what the user is subscribed to, or does not include the ability to “unsubscribe” to future mailings.

HubSpot GDPR Compliance

Over 100,000 customers use HubSpot on a daily basis. HubSpot is very transparent regarding data collection and has a lot of helpful guides surrounding GDPR compliance.

HubSpot admins can turn on GDPR functionality which will then set the cookie consent banner on by default and unsubscribe links on by default as well. Their GDPR Compliance Checklist is very helpful for any organization.

GDPR Compliance Checklist

The GDPR is often referred to as the most significant data privacy regulation in 20 years, which is a big improvement over previous data protection directives. This new regulation aims to change how organizations handle personal data and allow consumers to control their own data processing. 

To be in compliance, the GDPR requires companies to:

  • Have a legal justification about your data processing activities
  • Create a security policy framework and provide proper training and education to team members about data security and privacy laws
  • Delegate responsibilities to a trusted team member or appoint a security officer to ensure GDPR compliance across your organization
  • Be transparent with your customers and their data

GDPR Summary

The GDPR requirements are basically new privacy laws that give EU citizens increased personal data protection. It is meant to protect citizens from having their data stolen in the age of modern identity theft.

The regulations took effect in May 2018, a full two years after being created.  In January 2021, the number of data breaches in the EU totaled 77,000. The information presented here will help companies know how to get compliant with GDPR.

Since the GDPR has been in effect, the occurrence of data breaches has decreased in the EU. GDPR compliance is mandatory for all businesses operating in the European Union, and websites with EU visitors.

The site visitor must authorize the collection of their data by clicking on a button agreeing to their information being collected and stored, such as opting into a mailing list or requesting a free guide.

Accelerate GDPR Compliance with Perimeter 81

Perimeter 81 focuses on maintaining the highest GDPR data privacy standards for customers and employees. We understand that each company is built differently.

Regardless if you’re an SMB or a large-scale enterprise, we take GDPR cloud security to the next level. We will address your data protection concerns and help implement best practices that align with GDPR guidelines for compliance and increased cyber security. Streamline GDPR Compliance with Perimeter 81.

GDPR Compliance FAQs

What does GDPR mean in simple terms?
GDPR stands for General Data Protection Regulation. It is a data privacy law that all companies in the European Union must comply with when processing personal information.
What are the basic rules of GDPR?
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
What is needed for GDPR compliance?
Personal Data Protection Policy
Privacy Notice
Employee Privacy Notice
Data Retention Policy
Data Retention Schedule
Data Subject Consent Form
Data Breach Register
Data Breach Notification Form to Data Subjects
Standard Contractual Clauses for the Transfer of Personal Data to Processors 
What are the 7 principles of GDPR?
Lawfulness, fairness and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

How do I comply with GDPR?
-Document all data
-Evaluate your current data governance practices and policies
-Check consent procedures
-Assign a data protection officer (DPO) to monitor and audit all data processing and activities
-Develop a framework of policies and procedures
What is a GDPR checklist?
-Have a legal justification about your data processing activities
-Create a security policy framework and provide proper training and education to team members about data security and privacy laws
-Delegate responsibilities to a trusted team member or appoint a security officer to ensure GDPR compliance across your organization
-Be transparent with your customers and their data

Looking to streamline GDPR Compliance?

Become GDPR Confident with Perimeter 81. Learn how.