The European Union's General Data Protection Regulation (GDPR), implemented in 2018, represents a significant advancement in personal data security. This comprehensive legislation emerged in response to growing concerns about data breaches and privacy violations, establishing robust protections for individuals' digital information.
GDPR functions as a regulatory framework that safeguards personal information, encompassing everything from basic identifiers like names and email addresses to sophisticated tracking data from online activities. The legislation mandates strict protocols for data handling, requiring organizations to implement comprehensive security measures and maintain transparent data processing practices.
A notable aspect of GDPR is its extraterritorial reach. While originating in the European Union, its jurisdiction extends to any organization worldwide that processes EU residents' data. For instance, a U.S.-based e-commerce platform serving European customers must align its data handling practices with GDPR requirements, regardless of its physical location.
GDPR has fundamentally transformed organizational approaches to data management. Companies must now:
The regulation empowers individuals with unprecedented control over their personal data security. They may exercise various rights, including:
Organizations face substantial financial penalties for non-compliance, with fines potentially reaching millions of euros. This enforcement mechanism has elevated data protection to a board-level priority, fostering a culture of privacy and security across industries.
The implementation of GDPR has established new standards for data protection, encouraging organizations to prioritize privacy and security while building lasting trust with their stakeholders through transparent data management practices.
GDPR is more than just a legal framework—it's a blueprint for how organizations should handle and protect personal data. Here’s how you can make implementing personal data security measures super-easy:
Only collect the data you actually need. Excessive data collection increases risk. For example, when developing a mobile app, avoid asking for unnecessary permissions if they are not required for app functionality.
One of the first things we need to do as part of this GDPR checklist is to ensure that, as an organization, you place data governance at the center of everything you do. Compliance has to be a serious focus for companies. Internally, within the organization, it is important to create and increase awareness of data privacy issues and create a mindset where every employee feels responsible. The key thing here is to be proactive rather than reactive.
Good read: Cybersecurity Compliances and Regulations in India
| Actions | Description | Applicable Articles of GDPR |
| Record keeping | Maintain records of the controller and Data Protection Officer (if applicable). Maintain categories of data and logs of transfers. Wherever possible add descriptions of possible measures taken to ensure security. | Article 30 |
| Data Protection Officer (DPO) | Establish whether the company is required to have a DPO. If the company is not required to have a DPO, you may appoint a voluntary DPO. DPO contact details must be notified to the regulatory authority and published to the public. |
Article 37 |
| Employee Training | Employees who handle the personal data of either customers or other employees must be trained to handle it according to GDPR principles. | Article 5 |
| Policies and Procedures | There is a list that covers different policies and procedures. There is no fixed way to handle this but it should be done according to what is applicable to your business. Some of the items on the list are:
|
Article 5 |
Privacy notices are crucial in meeting GDPR requirements by highlighting the required transparency. They should be clear, concise, and informative to ensure employees and customers know all data processing activities. Adhering to the guidelines outlined in Articles 14 and 15 of GDPR is essential for all organizations, especially those that operate online websites.
| Actions | Description | Applicable Articles of GDPR |
| Issue notices at the right time | Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month | Articles 12-14 |
| Be complete and concise | Notices must be complete and provide all the required information, like the identity of the controller, purpose of processing, duration, consent, right to withdraw consent, etc. | Articles 12-14 |
| Easy to understand and comprehend | The format of the notice should be easy to read, handle and understand | Articles 12-14 |
The fair processing category means that the conditions of processing must be met in order to lawfully process personal data. This category is similar to the processing rules in the current Data Privacy Directive, except for a few new requirements.
| Actions | Description | Applicable Articles of GDPR |
| Establish a legal basis for processing all the personal data that you hold | As a business, you need to be able to provide evidence that you have a legal basis to own and process the personal data that you hold. Consent from the data subject, the legal obligation of the controller, and special care where data is that of a child are necessary. | Articles 5, 6, 7, 9, 10, 85 to 91 |
| Profiling | A few questions to answer here: - Does your company carry out profiling on employees or customers? - If so, does this profiling result in making a decision about the individual which would have a significant legal effect or similar on that individual e.g. refusal of credit or refusal for an interview? - If the answer to (b) is yes, does your Company have the consent of the individuals to this profiling? |
Articles 5, 6, 7, 9, 10, 85 to 91 |
| Children | If your business processes the personal data of children, then consider the language used for privacy notices and plan out how to obtain valid consent from parents/guardians. | Articles 5, 6, 7, 9, 10, 85 to 91 |
Current data subject rights require you to request access to data when you need it, rectify it or delete it. Under GDPR, it's not just the right to access data but also provides it in a machine-readable format, also called data portability.
| Actions | Description | Applicable Articles of GDPR |
| Data subject access right | As a company, are your employees or customers allowed to get access to their personal data processed by your company? Do you have employees that have been trained to respond to such requests within the stipulated timeframe of 1 month? |
Article 15 |
| Processed to allow subjects to exercise their rights | This basically understands if as a company you have the technology and processes in place to allow data subjects to exercise their rights like the right to erasure, data portability, restriction of processing, and right to object. | Articles 16-21 |
One of the significant objectives of GDPR is to bring privacy consideration to the forefront of every organization. The GDPR requires data protection requirements to be considered when new technologies are designed or on-boarded or new projects using data are being considered. You should ensure that you assess to understand the impact on privacy as you onboard new projects.
| Actions | Description | Applicable Articles of GDPR |
| Privacy by design | The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures in an effective manner. The controller is responsible to integrate the necessary safeguards into the processing in order to meet the requirements of this regulation and protect the rights of data subjects | Article 25 |
| Privacy by default | The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. | Article 25 |
Under the GDPR's International Data Export rule, companies are permitted to export data within their group and third-party vendors outside the European Economic Area (EEA) if the country in which the recipient of such data is established offers an adequate level of protection.
| Actions | Description | Applicable Articles of GDPR |
| Group companies or third-party vendors | If you use group companies or third-party vendors to process data, there must be a written contract with each one of them validating that they meet the expectations set out in Article 28. | Article 28 |
| Transferring data out of EEA | If you are exporting data outside of EEA, you need to follow an approved transfer mechanism, which includes one of the following: (a) a country that has a finding of adequacy from the European Commission(b) If it is within The Company group, are binding corporate rules in place? (c) Standard contractual clauses as approved by the European Commission(d) If the transfer is to the US, based on the Privacy Shield. (e) With the consent of the data subject. (f) The transfer is necessary to carry out a contract with the data subject (g) The transfer is in the public interest (h) The transfer is necessary to establish, exercise, or defend legal rights (i) The transfer is necessary to protect the vital interests of a person where the data subject is physically or legally incapable of giving consent. |
Articles 44-49 |
| Actions | Description | Applicable Articles of GDPR |
| Appropriate security measures for personal data | Security has to be appropriate to the likely risks to individuals if data was lost, stolen, or disclosed to unauthorized people. It is important to note here that security covers both organizational as well as technical measures. Some factors to consider are: • Pseudonymisation • Encryption • Ensuring ongoing integrity, confidentiality, availability, and resiliency • The ability to restore in a timely manner • Processes for testing security |
Article 32 |
A data breach notification rule is part of the new GDPR data protection compliance checklist. The process requires organizations to act quickly, mitigate losses, and, where mandatory notification thresholds are met, notify regulators and affected data subjects.
| Actions | Description | Applicable Articles of GDPR |
| Mandatory notification | Do you have the necessary procedures in place to report a breach within 72 hours of becoming aware of it?
The breach has to be investigated and details provided to the regulator and mitigations have to be taken to address it. |
Article 33 |
| Notification to affected individuals | If the breach is likely to result in a high risk to individuals' rights and freedoms, the company must notify them. Only if the data is encrypted or otherwise unintelligible will individuals not need to be notified. | Article 34 |
For a developer building apps under the jurisdiction of the EU, it becomes necessary to understand how and where the requirements of GDPR are applicable. Moreover, a developer should also be aware of the functionalities and features to be introduced into the existing systems to ensure GDPR compliance. The 4 major aspects of GDPR are as follows:
Data flow is how data is mapped to be transmitted across the organization. GDPR requires businesses to provide a thorough history of where and how data is collected from users and within the organization, how the data is processed, and who can access that data and from where.
GDPR requires developers to introduce features in their applications that explicitly ask users for their permission to collect and process their sensitive information. Organizations are also required to inform users of the amount of information collected and the manner in which the information is used.
GDPR solely focuses on empowering users to protect their privacy. The users of any mobile app can ask for any information related to the data they generate. The app owners must grant users access to that data within 30 days of the request. Developers must plan such incidences as to how they are going to report such data to the users.
In the 2018 version of the GDPR, users have been granted the right to ask the app developers to delete any personally identifiable information or data about them. Such a demand, however, can become challenging for app developers. E-commerce apps and similar businesses generally require user data for auditing purposes, and such a request for data deletion can be tricky. Anyhow, to comply with the regulations of GDPR, they are required to do so or find some other legal way out.
GDPR is one of the most prominent regulations regarding user privacy and information security. The rules of GDPR compliance have been formulated keeping in mind the interests of both businesses and users, but most importantly, the interests of security in the age of modern digital technology. Understanding the gravity of data security and putting measures in place must be a priority.
With GDPR compliance, you not only get to showcase the value you give to user privacy but also add great value to your overall business. This regulation has all the required capabilities to boost the confidence of your customers in your product and give a boost to your business.