WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

GDPR Data Protection Requirements: An Executive Overview

The General Data Protection Regulation (GDPR) forms a pillar for information privacy in the European Union and European Economic Area. Its provisions and principles encompass everything from the rights of data subjects and duties of data controllers and processors to liabilities and penalties for breach of rights. 

GDPR applies even to organizations outside the EU that sell to individuals located in Europe or collect data on them, so even if you're not EU-based, you may still be held liable for compliance violations.

In this guide, we'll summarize what your organization needs to know about GDPR data protection requirements.

What Is GDPR Compliance?

General Data Protection Regulation compliance is conformity with one of the EU's most fundamental laws safeguarding the personal data of EU citizens and residents. The law protects data which can be used to personally identify individuals, such as names and email addresses. It encompasses all processes involving operations on data, including collection, storage, transmission, and destruction of data.

The GDPR applies to both organizations that determine purposes and means of processing data (controllers) and other parties that process data on their behalf (processors). Its regulations apply to both controllers and processors operating in the EU and those outside the EU who target or collect data on EU citizens and residents.

This regulatory framework has severe penalties for non-compliance. Enforcement authority resides in individual data protection authorities (DPAs) from individual states. Infringement of rights protected by the GDPR can result in fines up to the greater of €20 million or 4% of an organization's annual worldwide turnover as well as criminal charges.

GDPR Key Terminology

GDPR general provisions provide dozens of definitions of key terms used in the regulation. Some of the most important terms for understanding the GDPR include:

  • Personal data
  • Data processing
  • Data subject
  • Data controller
  • Data processor

Personal Data

As the GDPR defines it, personal data refers to any information related to an identified or identifiable person. Such persons can be identified directly or indirectly by designations such as names, identification numbers, locations, or online identifiers of their physical, physiological, genetic, mental, economic, cultural, or social identity.

Data Processing

Data processing refers to any operation or set of operations performed manually or automatically on personal data or sets of data. Data processing operations include:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation
  • Alteration
  • Alignment
  • Combination
  • Erasure
  • Destruction
  • Restriction
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission, dissemination, or otherwise making available

Data Subject

A data subject is a natural person identified or identifiable by personal data.

Data Controller

A data controller refers to the natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data, alone or jointly with other parties. When the purposes and means of such processing are determined by Union or Member State law, the Union or Member State may establish the controller or the specific criteria for its nomination.

Data Processor

A data processor refers to the natural or legal person, public authority, agency or other body which processes personal data on a controller's behalf.

Overview of the GDPR

The GDPR contains 11 chapters covering the following topics:

  1. General provisions defining the regulation's subject matter, objectives, material and territorial scope, and key definitions
  2. Principles informing GDPR provisions, covering processing of personal data, lawfulness of processing, conditions for consent, children's consent, special categories of data, criminal records, and processing not requiring identification
  3. Rights of data subjects
  4. Controller and processor responsibilities
  5. Transferring personal data to third parties and international organizations
  6. Independent supervisory authorities enforcing the GDPR
  7. Cooperation and consistency of supervisory authorities
  8. Remedies, liabilities, and penalties for GDPR violations
  9. Provisions for specific processing situations such as freedom of expression, official documents, and national identification numbers
  10. Delegated and implementing acts of GDPR authorities
  11. Final provisions, concluding with entry into force and application of the regulation

The full text of the GDPR runs hundreds of pages. Here are some key highlights:

Principles of Data Processing

The GDPR lays out six groups of principles that govern its provisions:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Data integrity and confidentiality

Here's what each principle means:

Lawfulness, Fairness, and Transparency

This principle requires that data must be collected lawfully, fairly, and transparently. For data to be collected lawfully, one or more of the following conditions must apply:

  • The data subject has consented to have their data processed for specific purposes
  • Data processing is necessary to facilitate a contract
  • Data processing is necessary to fulfill a legal obligation binding upon the controller
  • Data processing is necessary to protect the data subject or another natural person
  • Data processing is necessary to execute an official responsibility in the public interest or vested in the data controller
  • Data processing is necessary for legitimate interests of the controller or a third party which do not conflict with other fundamental rights of data subjects

The GDPR provides less guidance on what constitutes fairness, as legal analysts have noted.

With respect to transparency, the GDPR requires that data subjects be informed clearly in writing or other means about the fact data is being collected on them and how this data is being processed. Subjects should be informed why data is being collected on them, how long it's being retained, and who it's being shared with.

Purpose Limitation

The principle of purpose limitation means that data must be collected for specific, explicit, legitimate reasons. This does not exclude further processing for archival purposes related to public, scientific, historical, or statistical interests.

Data Minimization

The principle of data minimization requires that data collection be adequate for its intended purpose, relevant for that purpose, and limited to what is necessary for that purpose.

Accuracy

The principle of accuracy requires that collected data be correct and current. Inaccurate or outdated data should be erased or rectified immediately.

Storage Limitation

The principle of storage limitation requires that collected data be kept no longer than necessary for its intended purpose. As with purpose limitation, this does not exclude data archiving for designated reasons.

Data Integrity and Confidentiality

The principle of data integrity and confidentiality states that data must be safeguarded through organizational and technical means that prevent unauthorized processing, unlawful processing, data loss, data destruction, or data damage.

Privacy Rights of Data Subjects

The principles of the GDPR aim to protect eight privacy rights of data subjects, based on the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. Data subject rights include:

  • The right to be informed: data subjects have a right to transparent knowledge about how data about them is being collected, processed, stored, and shared
  • The right of access: subjects have a right to obtain copies of their data and related information
  • The right to rectification: subjects have a right to require controllers to correct inaccurate data about them and complete incomplete data
  • The right to erasure: subjects have a right to require controllers to delete data about them under specific conditions, such as when it is no longer necessary, when the subject withdraws consent, or when the data was collected unlawfully
  • The right to restrict processing: data subjects have a right to prevent processing of data that is inaccurate, unlawful, unnecessary, or subject to legitimate objection
  • The right to data portability: subjects have a right to receive a copy of their data in a common, machine-readable format that can be transferred to another controller
  • The right to object: subjects have a right at any time to demand that controllers and processors cease and desist from processing their data
  • Rights in relation to automated decision making and profiling: subjects have a right not to be legally or similarly affected by decisions based solely on automated profiling

These rights may be subject to designated restrictions for specific reasons, such as national security, law enforcement, tax collection, or civil law enforcement.

Data Protection by Design and Default

To implement its principles, the GDPR compels data controllers to adopt a policy of data protection by design and default. 

This means that controllers should take data protection into account throughout the product and data lifecycle from the time of determination of means of processing to the time of actual processing. Data protection measures should ensure that by default, only data necessary for specific purposes is collected and data is not made accessible without the subject's consent to other natural persons. These measures apply to the amount of data collected, data processing, and data storage and accessibility.

Controllers must implement both organizational procedures and technical measures to ensure data protection. Organizational measures include standard operational procedures such as training staff, adding a data privacy policy to employee handbooks, minimizing data collection, and restricting data access. Technical measures include cybersecurity techniques such as encryption and two-factor authentication.

An approved certification mechanism may be used to help demonstrate compliance with data protection by design and default.

Data Accountability

The GDPR holds data controllers accountable for being able to demonstrate compliance. Means of demonstrating compliance include:

  • Assigning data protection responsibilities to designated team members
  • Keeping documentation of how data is collected, used, stored, and shared and who is responsible for handling it
  • Training staff to follow data protection organizational and technical procedures
  • Signing Data Processing Agreement contracts with third parties who process your data
  • Appointing a Data Protection Officer if required (required for public authorities, organizations that conduct large-scale regular monitoring, and organizations that conduct large-scale collection of data falling into designated special categories)

These accountability requirements help ensure that organizations not only follow GDPR principles and provisions, but can demonstrate compliance.

Data Security

To meet the technical measures requirement of the GDPR, data controllers must implement appropriate data security procedures. 

The GDPR article on security of processing does not detail specific security measures beyond a few examples, but requires data controllers to take into account the state of the art in cybersecurity, costs of implementation, processing scope, and risks.

In the event of a breach, companies have 72 hours to notify data subjects, unless technological safeguards such as encryption already have neutralized the value of data for attackers.

GDPR Checklist for SMBs

The EU provides a general GDPR compliance checklist for data controllers as well as specific guidance for US companies. The general checklist covers four key areas:

  1. Lawful basis and transparency
  2. Data security
  3. Accountability and governance
  4. Privacy rights

Lawful Basis and Transparency

To comply with the GDPR lawful basis and transparency requirements, data controllers must:

  • Conduct an information audit to assess what information your organization process and who can access it
  • Establish a legal basis for data processing operations
  • Disclose clear information in your privacy policy about your data processing and its legal basis

Organizations with at least 250 employees and organizations that conduct high-risk processing must keep a detailed, current list of processing activities, to be provided upon request to regulatory authorities. Organizations with fewer than 250 employees will find that keeping such a list will assist with other compliance requirements.

The list should include:

  • Why you process data?
  • What kind of data you process?
  • Who in your organization can access data?
  • Which third parties can access your data and where they're located?
  • What you do to protect data?
  • When you intend to erase data?

Data Security

GDPR data security requirements obligate data controllers to:

  • Consider data protection throughout the product and data lifecycle, from product development to each time data is actually processed
  • Encrypt, pseudonymize, or anonymize data when possible
  • Establish an internal security policy and promote data protection awareness
  • Know when to run data process impact assessments and establish procedures for executing them
  • Establish procedures for notifying authorities and data subjects when data has been breached

These requirements follow the GDPR's principle of "data protection by design and default", which includes applying " appropriate technical and organizational measures". Technical measures include cybersecurity practices such as encryption. Organizational measures include policies such as minimizing data collection and deleting unneeded data.

Accountability and Governance

GDPR accountability and governance requirements compel data controllers to:

  • Designate an individual within your organization responsible for GDPR compliance
  • Sign a Data Processing Agreement with any third parties who process your organization's data
  • If you're located outside the EU, appoint a representative within the EU
  • If necessary, appoint a Data Protection Officer

These requirements ensure that someone in your organization is accountable for GDPR compliance and has authorization to review data protection policies and execute them.

Privacy Rights

GDPR privacy rights requirements obligate call for controllers to make it easy for customers to:

  • Request and receive all data about them
  • Correct and update information that is incomplete or inaccurate
  • Request to have personal data deleted
  • Request you to stop processing their data
  • Receive a copy of their data in a format transferable to another company
  • Object to you processing their information
  • Have their rights protected during automated processing of data

These requirements ensure the rights of data subjects to see what data you have about them, understand how you're using it, know how long you keep it, and receive a copy of their information in a timely manner.

GDPR Compliance Checklist for US Companies

US companies can comply with the GDPR by:

  • Auditing their information for EU data
  • Disclosing to customers why you're processing data
  • Evaluating data processing activity risks and mitigating vulnerabilities
  • Signing a data processing contract with vendors
  • Appointing a Data Protection Officer if required
  • Designating a representative in the EU
  • Planning how to respond to a data breach
  • Complying with applicable cross-border data transfer laws

The GDPR's website provides forms and templates to assist with compliance.

Get GDPR Compliance Help from Cobalt

Whether you operate in the EU, sell to EU customers, or collect data on EU citizens or residents, GDPR compliance applies to you. 

Achieving compliance involves both policy and technical implementation. On the technical side, you need to ensure that data you collect, store, and transmit remains secure from cyberattacks that can compromise customer privacy.

Cobalt assists you with achieving GDPR compliance requirements by providing compliance pentesting services to identify and mitigate vulnerabilities in your IT infrastructure. Our team of offensive security experts helps you rapidly schedule simulated attacks on your data and produce audit-quality attestation reports identifying your vulnerabilities and what you've done to mitigate them. 

Our pentesting platform makes it easy for our experts to collaborate with your security team and plan tests that meet your requirements for compliance with the GDPR or other regulatory frameworks. Talk to our team today to get started on the road to compliance.

Back to Blog
About Steven Dimirsky
Steven Dimirsky is an experienced General Counsel with over a decade of experience in SaaS, including oversight and implementation of privacy and infosec programs globally. He is well-versed in the negotiation of all manner of commercial agreements, IP portfolio management, and providing counsel regarding compliance with the various privacy law and regimes in North America and Europe. More By Steven Dimirsky