GDPR compliance means an organization that falls within the scope of the GDPR meets the requirements for properly handling personal data.
Robb Taylor-Hiscock
Privacy Content Lead, CIPP/E, CIPM
April 16, 2021
At its core, GDPR compliance means an organization that falls within the scope of the General Data Protection Regulation (GDPR) meets the requirements for properly handling personal data as defined in the law.
The GDPR outlines certain obligations organizations must follow which limit how personal data can be used. It also defines eight data subject rights that guarantee specific entitlements for individual’s personal data. Ultimately giving individuals more autonomy over their personal information and how it is used.
The GDPR is the strongest global privacy law in effect today. Created by the European Union (EU) to regulate how organizations collect, handle, and protect personal data of EU residents. The GDPR took effect on May 25, 2018, and is a binding regulation written directly into Member States’ laws. It is designed to strengthen privacy rights by giving data subjects control of how their personal data is obtained, used, and shared.
The GDPR set out with three main goals in mind:
Let’s define some of the basic terminology of the GDPR before we dig into the details.
To decide whether you are covered under the GDPR, you need to consider both the ‘material scope’ (i.e., whether your processing activity is regulated by the GDPR) and the ‘territorial scope’ (i.e., whether you are in a jurisdiction where the GDPR applies).
US organizations may fall within the scope of the GDPR. To determine whether or not your organization must comply, the same analysis must be applied by looking at the material and territorial scope of the law outlined below. In short, if your organization processes (i.e., collects, records, structures, stores, alters, uses, discloses, erases, etc.) personal information of someone residing in the EU for the exchange of goods or services or for the purposes of monitoring the behavior of EU-citizens, then you likely fall within the scope of the GDPR.
The GDPR applies to the processing of personal data carried out wholly or partly by automated means. It also applies to the processing that does not use automated means but forms part of a filing system or is intended to form part of a filing system. This covers most activities that organizations do with data, including collecting, recording, storing, accessing or viewing, using, analyzing, combining, disclosing or deleting personal data.
The GDPR applies to the processing of personal data by a controller, or a processor established in the EU, regardless of whether the processing takes place in the EU.
It also has an extraterritorial application for a controller or a processor, which is not established in the EU, if the controller or the processor offers goods or services to data subjects in the EU or monitors data subjects’ behavior taking place in the EU. For example, the GDPR applies to a US online shopping website which attracts and offers goods to customers in the EU. The offering of goods and services could be complimentary, free of charge. This could cover foreign government agencies or non-profit organizations. For example, the GDPR applies to a travel information page run by a US State government that collects personal information such as IP addresses while the site visitors from EU access the free travel information.
The GDPR outlines eight fundamental data subject rights, plus the right to withdraw consent. Let’s take a closer look at these rights:
Now that we understand the basics, let’s jump into the steps your organization can take to meet GDPR compliance. GDPR compliance can look a bit different depending on your organization, but there are specific steps any organization can take now to create a GDPR compliant privacy program:
Let’s take a deeper look at each step.
The GDPR sets out seven key principles which should be at the core of your approach for personal data processing:
The GDPR requires implementation of appropriate technical and organizational measures to implement the data protection principles effectively and safeguard data subject rights. This is called ‘data protection by design and by default’. This means you have to integrate data protection into your processing activities and business practices from the design stage across the entire data processing lifecycle.
GDPR Articles:
The GDPR requires organizations to keep records of their processing activities and ensure such records are always up to date. Data mapping describes the operational process to generate a central inventory of the organization’s data flows and keeping it up to date.
Although the GDPR does not specifically mention data mapping, it does require both controllers and processors (B2B and B2C) to maintain an inventory of processing activities. GDPR Article 30 is extremely specific in its requirements, so even if an organization has previously performed data mapping, it will need to be updated or redone to meet the GDPR requirements.
GDPR Articles:
The GDPR requires controllers to conduct a Data Protection Impact Assessment (DPIA) where processing operations are likely to result in a high risk to individuals. Many details within the GDPR make this more involved than a standard questionnaire; for example, requiring a Data Protection Officer (DPO) involvement in specific workflows, tracking mitigation activities, documenting risk in terms of harm to the individual, data subject consultations, etc.
In addition, organizations in practice implement a lightweight screening questionnaire to analyze risk and then determine if a full DPIA is needed. These workflow and documentation requirements, as well as the user experience and integration expectations of the business users, require purpose-built tools to operationalize the GDPR.
Operationalized properly, the DPIA can be an effective approach to meeting the Data Protection by Design and Default requirement.
GDPR Articles:
The GDPR sets a higher standard for organizations processing data based on consent. For example, consent needs to be: specific, clear and in plain language, not buried in legal notices, not grouped with multiple notices, easy to withdraw, etc. In addition, organizations need to be able to demonstrate consent was received in granular ways.
GDPR Articles:
Under the ePrivacy Directive, organizations must tell people if they are using cookies, and explain what the cookies do and why. User’s consent must be obtained in a process that allows the organization to demonstrate that the consent was actively and clearly given. The users also need to be informed about the different functions of the cookies used on the website, as well as the identity of organizations that deploy the cookies and use the data collected through them. There is an exception for cookies that are essential to provide an online service at the individual’s request, for example, to remember what’s in their online basket, or to ensure security in online banking. The same rules apply if other types of technologies are used to store or gain access to information on someone’s device (for example SDKs for mobile apps).
The ePrivacy Directive requirements apply no matter whether the cookies are processing anonymous or personal data. Even where the cookie data is anonymous, the user consent for collecting them needs to meet the GDPR standards. If the cookie data is not anonymous, the organization will also need to comply with additional GDPR rules for personal data protection, such as conducting a DPIA and recording such processing activity in their records of processing.
The GDPR has influenced the drafting of ePrivacy Regulation that will replace the current ePrivacy Directive and align even closer with the GDPR. Organizations will be facing increased penalties and more focused regulatory action under the Draft ePrivacy Regulation.
GDPR Articles:
The GDPR gives data subjects specific rights, such as: data portability, access, erasure or “right to be forgotten”, rectification, and more. Additionally, there are specific record keeping requirements around the time to respond, the ability to request an extension, the requirement to validate the identity, securely transmitting the response to the individual, to name a few. Having an automated portal that can help intake and triage these requests is a vital step in managing, tracking, and reporting on your DSAR requests.
GDPR Articles:
The GDPR holds the controller responsible for actions or breaches by the processor. It is critical to analyze processor data transfers and contractual obligations with the same level of diligence as internal processing activities to have a defensible posture in the unfortunate event that a processor has a breach. In addition, it allows organizations to quickly understand what data was impacted in that breach.
GDPR Articles:
The GDPR includes strict 72-hour notification requirements to the supervisory authority and, when a data breach is likely to cause a high risk to the rights and freedoms of natural persons, an additional notification to the data subjects. It’s critical for organizations to have a systematic process in place to meet these requirements.
GDPR Articles:
The GDPR requires the same level of protection for personal data transferred outside of the EEA. This requires organizations to review and ensure that they have appropriate mechanisms in place for cross border data transfer.
The first thing to consider when transferring personal data to a third country is if there is an ‘adequacy decision’. An adequacy decision means that the European Commission has decided that a third country or an international organization ensures an adequate level of data protection. However, this decision is subject to review by the Commission and can be reverted (e.g., EU-US Privacy Shield). Another example is the European Commission granting the UK two adequacy decisions following Brexit.
In the absence of an adequacy decision, the GDPR allows a transfer if the controller or processor has provided ‘appropriate safeguards.’ The most commonly used safeguard is the ‘Standard Contractual Clauses’ (SCCs), which set obligations on the data exporter and the data importer and provide rights for the data subjects.
Data transfer is still possible if there is no adequacy decision or appropriate safeguards. In this scenario, organizations can rely on a derogation, such as explicit consent from the data subject or the transfer is necessary for the performance of a contract. However, this is not recommended, since without appropriate safeguards, there are more risks of a data breach.
GDPR Articles:
The GDPR requires a data protection officer to monitor an organization’s compliance with the GDPR, which includes raising awareness and training staff. Organizations should provide their staff with initial and refresher trainings. There should also be a mechanism in place to keep records of the trainings for showing compliance.
GDPR Articles:
The GDPR requires an organization to appoint a data protection officer (DPO) if it is a public authority or body, or if the organization’s core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.
The DPO is responsible for ensuring GDPR compliance. They assist the organization to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the data protection authorities.
GDPR Articles:
OneTrust Privacy Automation gives you the tools you need to build a holistic GDPR compliance program. With OneTrust’s Privacy Automation solution you can:
Request a demo to learn more about how OneTrust Privacy Automation can help you build a GDPR compliance program.
Webinar
Join this webinar to hear from a panel of expert privacy professionals as they dissect the key happenings in 2024 and how privacy professionals can approach what may occur in 2025.
Webinar
Join OneTrust and PA Consulting as we dive deeper into the key takeaways from the IAPP Europe Data Protection Congress 2024. Our speakers will provide actionable insights from the event on the latest developments in data protection, privacy, and AI.
Infographic
Navigating GDPR compliance can feel daunting, especially for businesses with limited resources. This quick infographic guide of actionable “dos” and “don’ts” will help you develop the foundation of a broader privacy-first approach that keeps you aligned with your GDPR compliance goals.
eBook
Learn how to simplify GDPR consent management, stay compliant, and build trust with your audience. Download this practical guide for marketers.
eBook
This comprehensive eBook explores the key elements of a GDPR compliance program.
eBook
In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.
Webinar
Join our panel of experts as we celebrate GDPR Anniversary and take a closer look at the relationship between the GDPR and AI Act.
Webinar
Join our webinar for a comprehensive overview of the latest global data privacy regulations and updates impacting businesses in 2024 and how to prepare.
Infographic
Learn how OneTrust and Europrivacy's partnership can help your organization achieve GDPR compliance and build trust with your customers.
Webinar
Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.
Webinar
Join OneTrust and KPMG UK to discuss the challenges of employee SARs, managing your breach response with third parties, and incident management.
Infographic
Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.
Webinar
Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.
Webinar
Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.
Webinar
Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.
Webinar
In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.
Infographic
Download our infographic and learn about the 3 priorities of the French DPO.
Webinar
Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance.
Webinar
Join our panel of experts as we discuss the impact GDPR had on the tech industry during the past five years, the importance of privacy by design, and what to expect with AI and regulation.
Webinar
Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.
Webinar
In this live webinar, our expert panel examines the first five years of the GDPR, how it changed the healthcare industry, and the changing global regulatory landscape.
Webinar
Join us for a live panel as we discuss GDPR's impact on the retail and eCommerce industry and how companies evolved to meet the global regulatory landscape.
eBook
This eBook covers the fundamental information you need to know in order to get your GDPR compliance program started and how OneTrust helps.
Infographic
Download our infographic to see how the Revised FADP compares with its original version and the GDPR.
Webinar
How has the GDPR affected the financial industry? Join our live panel as we examine how it companies evolved to meet the regulatory challenges and what can be done to stay ahead of the curve.
Webinar
OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.
eBook
French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.
Webinar
This session will examine some key issues and recent developments on international data transfers with contributions from key EU, UK, and US regulators.
Webinar
Belgian DPA approves IAB Europe’s action plan to correct its Transparency & Consent Framework (TCF) violations of the GDPR.
Webinar
Learn more about the privacy updates for the UK and the EU, what to expect in the coming year, and how to manage regulatory change.
Webinar
Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.
Webinar
Watch our webinar on the last 4 years of GDPR compliance and trends for the future.
Webinar
As part of our Privacy Automation webinar series, we discuss why it's important to automate DSAR fulfillment and the latest regulatory trends.
Webinar
Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.
Checklist
This Transfer Impact Assessment checklist provides an overview of the key steps you can take as you perform a TIA.
Infographic
Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law.
eBook
Download this eBook to get an ultimate guide to understanding the GDPR and implementing steps towards compliance.
eBook
Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program.
White Paper
Unlock the full potential of your privacy program with our complete handbook designed to equip privacy professionals with the essential tools and knowledge for establishing robust PIA and DPIA processes.
Checklist
Download our GDPR compliance checklist for recommendations on improving your organization's privacy program.
Webinar
Join our webinar to learn the benefits of automating your PIAs and DPIAs using the OneTrust platform