CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
July 21, 2022
By now, you've likely heard of the European Union’s crucial data privacy regulation, but may not fully understand the general requirements of GDPR — especially if your company operates outside of the EU.
Considered the most significant privacy regulation in 20 years, this set of regulations — established in 2018 — is a substantial step up from the EU's previous data protection directive.
The new initiative transforms how organizations in every sector handle personal data and, for the first time, gives people a say over who collects their data, when it's collected, and how it's used.
With this regulation, companies can't just clean up the mess and say "sorry" after a personal data breach. They also can't collect and use consumer data without oversight or plainly worded disclosures. Stiff penalties now exist for data breaches and data privacy violations.
To prove GDPR compliance, organizations must take steps to protect a data subject’s privacy from the get-go. Transparency is the name of the game — a new notion to many organizations that have traditionally put data privacy on the backburner.
GDPR compliance can seem overwhelming, but in the long-term, we expect to see better user/customer experiences, fewer data breaches, and greater trust between consumers and organizations regarding personal data.
Since its advent in 2018, many have celebrated the General Data Protection Regulation: In terms of protecting people’s privacy, it’s a game-changer (and a big one). But for the countless companies attempting to navigate all of its nuances and layers, the GDPR can cause confusion and, for many, frustration.
To help you understand it better, we’ve compiled a list of essential facts about GDPR compliance. Use these as your guide to improving your organization's data security, protecting your data subjects' personal information, and avoiding non-compliance issues. We recommend reviewing the need-to-knows below but have also condensed these steps into a helpful GDPR compliance checklist you can access.
The European Parliament approved the General Data Protection Regulation in 2016 to replace a data protection initiative from 1995, but changes weren't enforced until 2018. For U.S. companies that believe they’re exempt from GDPR because they don’t do business with folks across the pond, think again.
The GDPR changes apply as much to other countries as they do to the EU. If any organization, EU or otherwise, offers goods or services to EU data subjects, they're on the hook. This helpful checklist, provided by GDPR, prepares U.S. companies for the associated regulations and requirements.
TGDPR requirements govern almost every data point an organization collects, across every conceivable online platform, especially if it's used to uniquely identify a person. It also includes data routinely requested by websites, like IP addresses, email addresses, and physical device information. Types of personal data protected under GDPR includes:
As you can imagine, "basic identity information" is a broad category. It includes user-generated data, like social media posts, personal images uploaded to websites, medical records, and other uniquely personal information commonly transmitted online. Yes, that means organizations must protect your tweets and Facebook statuses.
The General Data Protection Regulation establishes eight rights that apply to all users. To achieve GDPR compliance, your organization must respect the following rights or face severe penalties:
If your U.S. company processes EU residents’ personal data but doesn’t have a European presence, it’s time to get one. Selling products or services online to customers in the EU — or simply having EU-based visitors to your site — means you must comply. A physical representative in the European Union exists to contact EU supervisory authorities and data subjects, plus maintain processing records.
If you don't already have a subsidiary, corporate affiliate, or external data protection officer in EU territory, you can name an unaffiliated person or entity. Consider a "GDPR Representative as a Service," where you pay a U.S. company a flat fee to name one of their EU representatives to act as yours. Then, you list them as your EU contact to satisfy the GDPR. It's a fast and easy way to ensure GDPR compliance.
The General Data Protection Regulation is a complete shift in thinking, and it's safe to say many U.S.-based organizations are still scratching their heads. In the GDPR’s first few years, companies were granted a grace period to get up to speed.
These days, companies must at least prove to officials that they’re actively working toward accountability and compliance. Penalties for non-compliance are tiered and can be as high as 2% of annual global turnover of the preceding fiscal year.
GDPR compliance means adopting the principle of affirmative consent. This requires a switch from an "opt-out" approach to an “opt in” approach concerning data collection and processing.
Instead of assuming user consent (by opting them in automatically and providing an opt-out method), you now must obtain explicit permission before you collect, store, and process their personal data. This new approach applies to everything, even if you're just adding a customer's email address to your newsletter list.
Additionally, users don't just have the right to decide whether you collect and use their data; they can also determine how you use it. They have the legal right to question and appeal on how their personal information is presented to themselves and others.
For instance, a user might object to Google's use of their data to refine their algorithm and show content to other users. Or a user might choose to opt out entirely at any point due to their right to be forgotten — in which case, it's your responsibility to scrub their data from your systems.
It’s possible people aren’t reading privacy policies because, too often, they can be tangled webs of legal jargon. For that reason, the GDPR prohibits organizations from hiding behind illegible terms and conditions that are difficult to understand.
Instead, GDPR compliance requires companies to clearly define their data privacy policies and make them easily accessible. They must explain how they engage in personal data processing and what they do with it. Further, they can't write privacy policies that absolve them from responding to a personal data breach.
There's another caveat: Your organization must also know and monitor your vendors (and their privacy policies) to ensure GDPR compliance when using your EU subject data. Under the GDPR, you could be held accountable for their compliance (or lack thereof).
When a personal data breach occurs and threatens consumer data privacy rights, companies must report the incident within 72 hours of becoming aware of the breach. Data processors (typically the data protection officer) must notify their customers immediately.
This may be one of the most significant changes in practice for U.S. companies. Especially after a few large-scale breaches occurred, like one involving Equifax in 2017. It took the credit monitoring firm six weeks to report the breach, affecting upward of 143 million Americans.
According to GDPR, companies that fail to comply can pay hefty fines for such behavior. The new requirements force companies to take data breaches more seriously and implement security measures to protect its data subjects.
GDPR requirements give consumers (i.e., data subjects) the right to ask companies for information held about them. Within a month’s time, companies must be able to fulfill the request.
Data subject access requests force organizations to know where collected data is at all times, what information is being collected, how it's being used by whom, and when it's being accessed.
If the consumer finds an error, the organization must correct it (called "rectification"). If the customer opts to invoke their "right to be forgotten," the company must erase their data (called "erasure"). If the consumer doesn't like how their personal data is being collected and used, they can object.
As you can imagine, this is one of the most significant portions of the data protection law: It enforces transparency surrounding personal data and information that organizations store and process.
Bottom line? Organizations can no longer hide what they know.
Most U.S.-based organizations are behind when it comes to having this data at their fingertips. Big data is big, and it isn't always in the same place. Customer data can be in core operational systems, cloud applications, online file-sharing services, removable media, physical storage cabinets, temporary files, sandbox systems, backup systems, and employee devices (just to name a few).
Ultimately, gaining control over this data benefits both the organization and the consumer. A 2018 Forbes article listed five of these benefits, but one in particular continues to win the day: a hefty boost in ROI.
In fact, according to a 2021 Forrester Total Economic Impact report, companies that invested in data privacy/security saw a whopping 152% return on investment, including recovered investment costs in just six months.
As a data controller, the General Data Protection Regulation creates a legal obligation to hire a data protection officer, or DPO.
This enterprise security leadership role is responsible for: overseeing a company's data protection strategy; monitoring data storage and data transfer operations; educating and training employees on regulatory compliance; implementing policies to ensure GDPR compliance; responding to data subject access requests; and serving as a point of contact between the organization and GDPR supervisory authorities.
You must hire one if...
The size of your organization is irrelevant here. What matters is the size of your data processing operation. But as you're probably thinking, "large-scale" and "large volumes" are nebulous terms. Unfortunately, the GDPR doesn't offer clear definitions, so we must make our best guess for now (or until the regulation is amended or clarified in the courts).
Like many organizations, you may use a cloud-based storage provider to house your data (like Microsoft Azure, Google Cloud, or Amazon Web Services). This practice does not off-load your data processing responsibilities to the cloud storage provider. Many organizations make the mistake of assuming their cloud storage providers are compliant, but that’s not always the case.
To ensure GDPR compliance, both the cloud provider and the systems used to integrate it must abide — yet another reason it's helpful to hire a data protection officer.
Remember, the purpose behind GDPR is to protect consumers on data privacy issues. It's an ambitious, far-reaching piece of legislation designed to safeguard the public’s privacy and provide agency over their data.
There's no doubt that GDPR compliance creates challenges for all organizations, especially those that rely heavily on robust data processing. Compliance requires one-time and recurring costs, new policies and procedures, education and training, and even extra staffing.
Framers of the GDPR are aware of those challenges. Still, while they understand your frustration, they feel — and we agree — that user rights are paramount, even at the expense of user experience. At a time when nearly every conceivable data point of our lives is stored online, we are remarkably vulnerable to theft and exploitation. Thus, we require concrete safeguards for better protection.
No matter the size of your organization, EU supervisory authorities will penalize your business for non-compliance. Yes, even small businesses fall across the GDPR radar.
Still, while it’s critical that you comply, the regulation is massive and complex. With Osano, you gain GDPR compliance instantly.
We serve as your GDPR representative, monitor your vendors, help you respond to access requests, and alert you about new or changing privacy laws with advice on how to prepare. Let Osano make it simple.
GDPR compliance can seem pretty intimidating—especially if you’re trying to figure out where to start. Download this checklist to discover 8 steps to build your foundation.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.