100 Overlook Center, 2nd floor, Princeton, New Jersey, 08540, USA

What is GDPR Compliance and Who Needs to Comply with GDPR?

The University of Maryland has calculated that every 39 seconds, there are hacker attacks on computers with Internet access. More than 120 countries have adopted international data protection laws to make the movement of data safe. One such law is the GDPR. What is it, who will have to implement it, and what is the essence of the GDPR - we will explain everything you need to know.

 

What is GDPR?

The GDPR is the general data protection regulation for European Union (EU) citizens. The law explains what personal data is and establishes the rules for its responsible management. Businesses that collect, process and store data to provide services to EU residents of the following countries will have to implement the GDPR: 

general data protection regulation for European Union (EU) citizens

If your business is physically located in the EU, it needs to comply with the GDPR. Geographically, your company may be located in the United States or China, but if you sell goods, provide services, or hire EU citizens, then you are subject to European regulations. Please answer the questions below to find out if you need to implement the GDPR.

Do you need to comply with the GDPR

Personal data processing principles

The processing of personal data must be carried out following seven principles, which are enshrined in article 5 of the GDPR.

Lawfulness, fairness and transparency

The lawfulness, fairness, and transparency principle means that the organization receives data legally; fulfills its obligations to store and transfer data; provides comprehensive information about the collection, processing and storage.

One of the legal grounds for processing is the customer's consent. Each action with personal data must be coordinated with the customer.

For example, the Nos company transferred about 3.8 million potential customers' personal data to the telecommunications company Vodafone for marketing purposes. Nos had to pay 20,000 EUR for their actions. It turned out that the company did not obtain the customers' consent for the transfer.

 

Information about how the company processes data must be complete.

The Swedish Klarna Bank failed to comply with this requirement, resulting in the Swedish Data Protection Authority imposing a fine of 720,000 EUR on the bank. The bank did not provide customers with information about the purposes and legal grounds for the processing; recipients and countries outside the EU to which the data was transferred; the rights of data subjects.

The requirement for completeness includes the prohibition of covert and invisible processing.

EasyLife, a retailer of products and household goods, violated this rule. When a customer made a purchase, the company assumpted about his health and offered him new products. EasyLife profiled 145,400 buyers based on “trigger products” but forgot to warn them about profiling. It was illegal and invisible data processing, costing the company 1.5 million EUR.

 

In addition to the completeness, the accessibility condition must be met.

Ireland's DPA fined WhatsApp 225 million EUR. One of the violations was that the messenger did not comply with the requirements that the Privacy Policy must be easily accessible. The GDPR requires companies to use language that users can understand.

Companies that publish Privacy Policies on websites and applications must describe the collection and processing processes in clear, concise, and straightforward language to make it easier for the user to understand how their data is processed. The owner of an IT product must highlight the most critical points in the document and provide information using different channels of interaction. For example, you can use video content, informational snippets, or pop-ups. In addition, the confidential policy must be placed in an accessible place. User habits demonstrate that the site footer or app dropdown is the ideal place to link to a policy. Thus, the user is always one or two clicks away from accessing the document.

 

Purpose limitation

The company must communicate to customers the purpose of data collection. They must be specific, distinct, and legal. Data may be collected and used only for purposes that are necessary for the provision of the services.

IT lawyers from Stalirov&Co developed the Privacy Policy for SmartWatch, a mobile application for synchronizing watches with an Android device. In the document, lawyers described the specific and legitimate purposes of collecting personal data: SmartWatch collects personal data to improve the service, communicate with visitors, and online sales. SmartWatch uses personal data to make the application work quickly and efficiently. The main purpose of data processing is to ensure that the use of the application will be convenient and understandable. In addition, the application uses data for other reasons, such as security, customer support, marketing, compliance with legal obligations, accounting requirements, and software development.

The more detailed the list of goals, the less likely it is that you will get a fine for violating GDPR principles.

 

Minimization

Collect the minimum necessary and mandatory data. Companies should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. Let's take a look at an example. An online e-book store has placed a form on their site that the user must complete to place an order. The online store owner used a standard contact form, asking for the first and last name, date of birth, phone number, email and home address. But not all fields in a form are strictly required. To place an order for an ebook, you only need a first name, last name, and email to which the book text will be sent. The collection of other personal data violates the principle of minimization.

 

Access to data should be given only to those employees who need it to complete their work.

For example, in the medical facility Azienda sanitaria Universitaria Friuli Occidentale, all employees had access to customer health data, even if they did not treat them. This mistake costs the company 50,000 EUR.

 

Accuracy

The principle of accuracy requires companies to keep only up-to-date data and update it if necessary. To fulfill the requirement you can verify the accuracy of the data by using an update query. An example of this is the Freedom Finance investment company. They annually ask brokerage account holders to submit an order to change information and attach relevant documents in the desktop and mobile versions of the Tradernet application. If the client does not do this, access to the account is blocked until the data is updated.

 

To meet the accuracy requirement, medical institutions are implementing a hashing method. There is a risk of error when two people receive the same treatment simultaneously, and the name is the only parameter that separates them. Therefore, a unique identifier is needed for each person. To do this, institutions create immutable hash signatures for the records of the treatment logs and the employee associated with the patient. Thanks to this, any changes in personal data can be recognized, compared and tracked.

 

Violation of the principle of accuracy leads to fines.

For example, the Romanian branch of Raiffeisen Bank violated the principle of accuracy when it processed inaccurate customer data. The investigation started with a complaint by an applicant, who received SMS text messages about money transfers that he did not make. It turned out that the applicant's number was erroneously entered into the bank's application, but the GDPR requires that the data must be updated and checked regularly. This resulted in Raiffeisen Bank paying a fine of 2000 EUR.

 

Storage limit

Companies need to establish a retention period for personal data and justify that this period is necessary for specific purposes.

The Spanish bank Bankia S.A. paid 50,000 EUR for violating the requirement for reasonable storage periods. Personal data was kept for several years after the data subject ceased to be a customer and continued to be available to bank employees.

 

Integrity and confidentiality

Companies need to implement technical solutions to protect data from unauthorized or unlawful processing, accidental loss, destruction or damage. For example, if a company wants to transfer customers' personal information from the database to the server. The risk is that all employees have access to the server, but only one department needs to process the data. To regulate the access and reduce potential damage from malware, a company can partition the network and set up server access control. 

In addition, you can implement security monitoring and install an intrusion detection and prevention system. Thanks to an automated audit system, violations of processing rules can be quickly and easily recognized.

For violating the principle of integrity and confidentiality, the American online ticketing company Ticketmaster received a fine of 1.4 million EUR from the Information Commissioner of the United Kingdom. Ticketmaster used an insufficiently secure chatbot to make online payments, which allowed the attacker to access the customers' financial information. Names, payment card numbers, expiration dates and confirmation numbers (CVV) were freely available.
Another case happened with the Polish financial company, ID Finance. During a server restart, the security software settings were reset. Because of this, information about the name and surname, address, nationality and marital status of 140,699 customers became public.

 

 

Accountability 

Each step of dealing with personal data should be described in detail in official documents:

  • Privacy Policies
  • Data protection agreements
  • Data protection instructions for employees
  • Procedures for responding to and reporting a leak and others.

The company must provide all these documents to the supervisory authorities to confirm data protection compliance. Otherwise, companies can get heavy fines.

For example, Danske Bank paid 1.3 million EUR for not documenting the rules for deleting and storing personal data in more than 400 systems. The bank could not prove that they were in compliance with the rules.

 

What technical and organizational security measures should a company implement to be GDPR compliant?

A company needs to implement the following technical and organizational measures to ensure a high level of security:

  • Pseudonymization and encryption.
  • Ensuring the confidentiality, integrity, availability and stability of processing systems and services.
  • Prompt restoration of data availability.
  • Regular testing of security measures.

Security system errors can lead to both minimal and million-dollar fines.

For example, the marketing company, SC Interactions Marketing SRL, had to pay a 1000 EUR fine for sending emails with an open mailing list. Because of this, each recipient of the letter had unauthorized access to the email addresses of other recipients. The company did not take the necessary measures to ensure the confidentiality of personal data and violated the requirements of Art. 32 GDPR on the security of processing.
While SC Interactions paid a relatively small fine, Fortum Marketing and Sales incurred a fine of 1 million EUR for allowing unauthorized access to their database. While making changes to the company's IT environment, an additional client database was created. However, the server on which the database was stored did not have sufficient security measures, due to which unauthorized persons managed to gain access. The Polish National Data Protection Authority found that the company was not encrypting customer data. In addition, while implementing changes in the system, the processing agent used actual customer data, not test data.

 

To ensure compliance with GDPR and improve data security, consider implementing these cybersecurity solutions:

technical and organizational security measures under GDPR

How to pass GDPR compliance?

IT-lawyers of Stalirov&Co compiled a list of actions to satisfy the requirements of the regulation. So, to be GDPR compliant you need to:

  1. Conduct a GDPR audit to determine what personal data the company collects, on what grounds, and for what purpose. This will help implement the principle of legality.
  2. Develop GDPR documentation as required by the principle of accountability. Online stores, marketplaces, mobile applications, Gamedev products and other software solutions that collect personal data from users on the Internet will need a Privacy Policy. Companies from finance, medicine, insurance, tourism and other industries must implement internal agreements, policies and guidelines — for example, Data protection agreements with contractors and employees.
  3. Make regular updates to the GDPR documentation so that customers receive up-to-date information about the processing and storing of their data. Promptly update information at the request of data subjects. This will delete the principle of transparency and accuracy.
  4. Establish a data retention schedule to meet retention deadlines and comply with deletion requirements.
  5. Hire a Data protection officer who will help implement technical and organizational security measures and ensure compliance to GDPR processing requirements.

 

 

Article navigation
Follow the latest news
Latest articles

Latest cases

All cases
For the full operation of the website and the improvement of service provision, we use anonymous data provided by Сookies!
ОК
Call me back IT lawyer will contact you
to discuss details
Service order IT lawyer will contact you
to discuss details
Thanks for reaching out!

An IT lawyer will contact you with legal solutions

OK
Thank you for your request!

An IT lawyer will call you back to discuss details

OK
Thank you for your feedback!

We would love it if you tell your friends and colleagues about us

OK
Thank you for your inquiry!

The IT legal team will contact you with options solutions

OK
Thank you for your inquiry!

An IT lawyer will contact you with a few more questions

OK
Thank you for your interest!

Await advice from IT lawyers

OK
Thank you for your inquiry!

The IT legal team will prepare a solution for you

OK
Thank you for contacting us!

An IT lawyer will analyze your situation and offer a solution

OK