What is GDPR Compliance?
The General Data Protection Regulation (GDPR) is Europe’s data privacy and security law. It is one of the world’s most extensive and inclusive laws due to how widely it applies, and compliance can be tricky.
The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those violating its privacy and security standards, with penalties reaching tens of millions of euros.
Scope, penalties, and key definitions
First, if you process the personal data of EU citizens or residents or offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU.
The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:
Personal data — Personal data is any information related to an individual who can be directly or indirectly identified. Names and email addresses are personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… and basically anything.
Data subject — The person whose data is processed. These are your customers or site visitors.
Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like Proton Mail.
Ok, so how does this apply to my company?
Well, if you do any business in Europe, this applies to you.
The reason is that any information that could be related to a citizen of the European Union, even if it is buried behind a pseudonym and would require additional metadata to reverse engineer, is a potential risk of violation.
I only do a little business in Europe. Can I skip it?
First, if you process the personal data of EU citizens or residents or offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU.
Second, the fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. Here is a link to read more about GDPR fines.
Shoot, this sounds risky. How do I get compliant?
I recommend using a third party to audit your compliance. This is easier since the technology surrounding the concepts will likely change with time, and this is a concept-based law.
If your company is already NIST CSF and/or HIPAA compliant, the good news is that you are already a chunk of the way there so this process won’t be new to you.
If you want to get compliant yourself, you should start here: https://gdpr.eu/.
If you need assistance figuring out compliance, the Alpha IT Virtual Risk Officer (vRO) service with a compliance upgrade is what you’re looking for. Our vRO team can walk you through the road to compliance with the most up-to-date tools and processes.