General Data Protection Regulation (GDPR) requirements guide

The General Data Protection Regulation (GDPR) was created by the European Union (EU) to establish guidelines for the collection and processing of their citizens’ personal information. While the bulk of data referred to in the GDPR requirements is collected online from websites and applications, it also covers data collected on paper and other media.

GDPR was approved by EU members in 2016 and went into full effect two years later. It is a replacement for the Data Protection Directive, which was enacted in 1995. The driver for GDPR was to give EU consumers control over their personal data by regulating how companies can use this information.

GDPR requirements apply to all EU citizens, whether inside or outside of an EU member country. It also applies to all organizations that touch EU citizens’ personal data regardless of where their website or company is

What are GDPR requirements?

1. Lawful, fair, and transparent processing (GDPR Chapter 2, Article 5a)
   “Personal data shall be:”
   5a: “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency.’)”
   5b: “Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”

To comply with these GDPR requirements, organizations must have documented a lawful reason for processing personal data. They must also have consent from data subjects to collect the information as well as make them aware of how it will be processed and used.
Meeting GDPR requirements for lawful, fair, and transparent processing means:

• Lawful means all processing should be based on a legitimate purpose.
• Fair means companies take responsibility and do not process data for any purpose other than the stated, legitimate purposes.
• Transparent means that companies must inform data subjects about the processing activities used for their personal data.

1. Limitation of purpose, data, and storage (GDPR Chapter 2, Article 5b and 5c)
   “Personal data shall be:”
   5c: “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);”
   GDPR requirements compel organizations to document the reason information is collected and processed as well as ensure that information is deleted when it’s no longer needed (i.e., data minimization). Leeway is given for information processing for archiving purposes, including the public interest, as well as for scientific, historical, or statistical purposes.
   To effectively meet GDPR requirements, organizations should:

• Forbid processing of personal data outside the legitimate purpose for which the personal data was collected.
• Mandate that no personal data, other than what is necessary, be requested.
• Ask that personal data be deleted once the legitimate purpose for which it was collected is fulfilled.

1. Data subject rights (GDPR Chapter 3, Articles 12-23)
   Eleven rights of data subjects that detail GDPR requirements are codified in five sections:
2. Transparency and modalities
3. Information and access to personal data
4. Rectification and erasure
5. Right to object and automated individual decision-making
6. Restrictions
7. Consent (GDPR Chapter 2, Article 6)
   “Processing shall be lawful only if and to the extent that at least one of the following applies:
   the data subject has given consent to the processing of his or her personal data for one or more specific purpose
   processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
   processing is necessary for compliance with a legal obligation to which the controller is subject;
   processing is necessary in order to protect the vital interests of the data subject or of another natural person;
   processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
   processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
   According to GDPR requirements, data subject consent is only one of six lawful prerequisites for processing information. To gain consent, the processor must have active approval from an individual. That is, data subjects must take affirmative action to grant consent rather than the processor using a passive approach.
   In addition, the consent must be documented, and the data subject must have the ability to withdraw consent at any time. For processing data for children under the age of 16, parental or guardian consent is required.
8. Notification of data breach (GDPR Chapter 4, Article 33)
   “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. “
   Article 4 (in chapter 2) defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
   It is notable that what qualifies as a data breach under GDPR goes beyond a cybercrime. A data breach could be something as simple as sharing files with someone outside of the organization, an employee sending an email containing sensitive information to the wrong person, or someone accessing files without authorization.
9. Data protection by design and by default (Chapter 4, Article 25)
   “…at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing…”
   To meet GDPR requirements for data protection by design, organizations must consider data privacy at the start of data processing.
10. Data protection impact assessment (Chapter 4, Article 35)
    “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
    According to GDPR requirements, a data protection impact assessment must be performed in these cases:

• “A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
• Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or
• A systematic monitoring of a publicly accessible area on a large scale.”

1. Data transfers (GDPR Chapter 5, Article 44)
   “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization. The rules surrounding data transfers depend on where you are moving data to and from.”
   Additional GDPR requirements related to data transfers are detailed in Articles 45, 46, 47, and 48, which are also part of chapter 5. These articles cover specific types of transfers and required data protection, including transfers to countries outside of the EU.
2. Data protection officer or DPO (Chapter 4, Articles 37, 38, and 39)
   Article 37 states, “The controller and the processor shall designate a data protection officer in any case where:

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.”
  
  GDPR requirements for the DPO are outlined in Article 38. A key point in Article 38 is, “Data subjects may contact the data protection officer with regard to all issues related to the processing of their personal data and to the exercise of their rights under this Regulation.”
  
  The tasks of a DPO are enumerated in Article 39. These include:
• Advising staff on their data protection responsibilities.
• Briefing management on whether data protection impact assessments (DPIAs) are necessary.
• Monitoring the organization’s data protection policies and procedures.
• Serving as the point of contact between the organization and its supervisory authority as well as for individuals on privacy matters.

1. Awareness and training (Chapter 4, Article 39)
   “to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including… awareness-raising and training of staff involved in processing operations…”
   To adhere to GDPR requirements, organizations need to ensure that training is comprehensive and designed for each of the different roles in an organization. Data protection training related to GDPR is mandatory for any employee who handles sensitive information from an EU citizen.

Who must comply with General Data Protection Regulation requirements?

GDPR requirements apply to all members of the EU and the European Economic Area (EEA) that store or process information about EU citizens regardless of where websites and residents are based. Therefore, they apply to any organization with digital properties with European visitors, even if EU citizens are not their target market. And, even if the EU citizen is visiting or resides elsewhere, GDPR requirements still must be followed.

The criteria for organizations to comply with GDPR requirements are as follows; they apply to many companies:

• A presence in an EU country
• No presence in the EU, but processes the personal data of European residents
• More than 250 employees
• Fewer than 250 employees, but data processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data

GDPR and data controller vs. processor

Organizations that are subject to GDPR requirements fall into one of two categories and, in some cases, both. In Article 4 of the GDPR, these are data controllers and data processors, which are defined as:

• Controller
  “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
• Processor
  “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

The role of the data controller and the General Data Protection Regulation

Controllers, who can be individuals or legal entities, are responsible for determining why and how personal data is processed. For example, a company that processes an EU employee’s personal information is considered a controller. They are accountable for maintaining compliance with the GDPR that applies to processing EU citizens.

Controllers also bear responsibility for demonstrating compliance with GDPR to data subjects and supervisory authorities. This includes explaining the processes used to ensure that data processing is lawful, fair, and transparent.

Data controllers must also ensure that protections are in place to destroy personal data after it is no longer needed so that only the minimum amount of data is stored. It also requires data controllers to implement technical controls that protect the integrity and confidentiality of personal information.

The role of data processor and the General Data Protection Regulation

Processors can also be individuals or legal entities. They process personal data on behalf of a controller. Often, these are third parties, such as payroll companies or companies offering software-as-a-service where they store EU citizen’s personal information. Processors must adhere to conditions set forth in data processing agreements from controllers that include rules related to GDPR.

Under GDPR, controllers are obligated only to engage with processors who can guarantee adherence to the rules. This includes proving that they have sufficient technical and organizational controls in place to meet the security and privacy standards for processing EU citizen’s personal information.

GDPR requirements in the seven principles of GDPR

Article 5 in chapter two of the GDPR details seven principles relating to the processing of personal data.

1. Lawfulness, fairness, and transparency: Lawfulness is based on having a good reason to process personal data. Fairness refers to users being able to understand why their data is processed and that it will not be mishandled or misused. Finally, transparency directs organizations to be clear, open, and honest about who they are and what they are doing with the data.
2. Purpose limitation: GDPR establishes parameters for how data can be used, stating that it only be “collected for specified, explicit, and legitimate purposes.”
3. Data minimization: The GDPR requirements for data minimization direct organizations to only collect the bare minimum of information needed to achieve objectives.
4. Accuracy: To comply with GDPR requirements, organizations must take responsibility for the accuracy of the personal data that is collected and stored, including implementing checks and balances to assure and maintain the integrity of the data.
5. Storage limitation: The amount of time that data can be stored is also part of GDPR requirements. Organizations must explain why they need to store the data and the reasoning behind the retention period.
6. Integrity and confidentiality: Organizations are responsible for data protection. Security systems must be in place to ensure that personal data is protected from unauthorized access, unlawful processing, and accidental damage, loss, or destruction.
7. Accountability: Proof of compliance with GDPR requirements and processing principles is mandatory. Organizations can be called upon at any time to demonstrate compliance.

General Data Protection Regulation requirements regarding individual rights

In chapter three, eight rights of individuals under GDPR are defined.

1. The Right to Information: Right to be informed by organizations about how information is collected, how long it will be stored, and with whom it will be shared.
2. The Right of Access: Right to be informed by organizations about what information is collected, how it is stored and processed, and how it will be used.
3. The Right to Rectification: Right to have incomplete or inaccurate information corrected.
4. The Right to Erasure: Right to have records with personal data permanently erased.
5. The Right to Restriction of Processing: Right to limit the processing of personal data in the event that it cannot be erased.
6. The Right to Data Portability: Right to obtain and reuse their personal data as well as request that organizations send this information to third parties.
7. The Right to Object: Right to object to the processing of personal data. However, organizations can override objects in some circumstances.
8. The Right to Avoid Automated Decision-Making: Right to deny the use of algorithms to make decisions and to opt out of automated decision-making.

Data protection for GDPR compliance

According to GDPR requirements, companies must employ data privacy protections for personally identifiable information (PII) related to any EU citizen they engage with, including employees, customers, and third-party vendors.

Understanding personally identifiable information and GDPR compliance

Almost all interactions with organizations involve an exchange of personal data. In many cases, individual pieces of this data are not enough to identify a person, such as:

• Date of birth
• Education information
• Email address
• Employment information
• Financial information
• Geographical indicators
• Mailing
• Medical information
• Place of birth
• Race
• Religion
• Telephone number

However, when aggregated, personal data, such as that noted above, can identify a particular person and become personally identifiable information or PII. Examples of PII include:

• Biometric data—retina scans, voice signatures, or facial geometry
• Name—full name, maiden name, mother’s maiden name, or alias
• Personal address information—physical address or email address
• Personal characteristics—photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
• Personal identification numbers—Social Security Number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
• Personal telephone numbers

GDPR requirements for data protection

To comply with GDPR, companies must employ data and privacy protections for PII related to any EU citizen they engage with, including employees, customers, and third-party vendors.

According to Article 32 of the General Data Protection Regulation (GDPR), Data Controllers and Data Processors are required to “implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data.” This includes implementing systems and processes “to ensure the confidentiality, integrity, availability, and resilience of processing systems and services.”

Tools for meeting GDPR requirements for data protection

There are a number of technologies that can be leveraged to support GDPR compliance efforts. Among the tools commonly used to meet GDPR data protection requirements are the following.

Data mapping and discovery tools
To ensure that all data covered under GDPR can be adequately protected, data mapping and discovery tools identify and document the flow of personal data within an organization. They provide a visual representation of where data is stored, processed, and transferred. This also helps meet GDPR requirements for risk assessments and facilitates data subject access requests (DSARs).

Encryption tools
Encryption tools use special algorithms to transform readable data into an unreadable format that requires a key to decrypt. This minimizes the risk of sensitive or PII data being compromised during data processing, as encrypted contents are basically unreadable for unauthorized parties. Encryption protects data when it is stored and when it is being transferred.

Data classification tools
Data classification tools identify, label, and categorize data based on its sensitivity and importance. This helps organizations meet GDPR requirements for data management and risk mitigation by directing the application of the appropriate security measures and access controls.

Identity and access management tools
Controlling and monitoring access to personal data is a critical function to ensure GDPR compliance. Identity and access management tools manage and control user access to systems and data, ensuring only authorized individuals can access sensitive information. They provide authentication, authorization, and user lifecycle management to help prevent unauthorized access to sensitive and personally identifiable information (PII) and data breaches.

Data masking and anonymization tools
These tools help meet the GDPR requirement for the “pseudonymization” of data. With data masking and anonymization tools, real information is replaced with dummy text that looks and acts like legitimate data. This ensures that the data can be processed but not exposed. For example, Social Security Numbers or credit card numbers that require formatting with a certain number of characters to process can be anonymized with data masking, so the string has a valid character set but is not actual sensitive information.

Ensuring compliance with GDPR requirements: Tips and rewards

The broad reach and steep penalties (i.e., €20 million or 4% of global annual turnover) that come with GDPR noncompliance demand attention. Following are several best practices to consider with regard to meeting GDPR requirements.

• Assess mobile apps for compliance with GDPR requirements. With many team members accessing and storing PII on mobile devices, ensuring that those applications and devices meet GDPR requirements is important.
• Conduct periodic risk management strategy assessments. With ongoing organizational and operational changes, it is important to stay on top of exactly what EU citizen data is stored and processed and any associated risks. Mitigation and remediation measures should also be considered as part of the risk management strategy assessment. Particular attention should be paid to shadow IT instances that are collecting and storing PII.
• Develop and maintain a data protection plan that addresses GDPR requirements. If a data protection plan is not in place, make putting one together a top priority. For organizations that have a data protection plan in place, review it to ensure alignment with GDPR requirements. Data protection plans should also be checked regularly to adjust to changes and updates to GDPR requirements.
• Drive a sense of urgency from top management. Having executive leadership initiate the prioritization of compliance with GDPR requirements ensures that it is top-of-mind throughout the organization.
• Hire or appoint a DPO, if the position has not been filled already. While GDPR requirements do not explicitly call out the need for a DPO as a discreet position, it behooves organizations to have someone focused on executing this function. And, since GDPR allows a DPO to work for multiple organizations, a consultant can be engaged on a part-time basis.
• Involve all the stakeholders. Commonly, GDPR requirements are thought to be an IT issue—not so. IT alone is ill-prepared to meet GDPR requirements. Most groups in an organization collect, analyze, or use customers’ PII, including marketing, finance, sales, and operations.
• Monitor systems and processes for meeting GDPR requirements. Ongoing monitoring should be in place to ensure that an organization remains compliant with GDPR requirements.
• Test data-related incident response plans. Among the many GDPR requirements is one specifying that organizations must report a data breach within 72 hours of becoming aware of it. A well-thought-out incident response plan that is tested and put through dry runs can go a long way to meeting GDPR requirements and mitigating damage.

Yes, this takes time, but any organization that is subject to GDPR should invest in systems and processes to ensure compliance. The benefits go far beyond simply being compliant. Many of the GDPR requirements have the halo effect of enhancing security and bolstering brand perception by improving consumer confidence.

GDPR requirements FAQ

What are the requirements of GDPR?
To achieve and maintain GDPR compliance, organizations must adhere to a number of GPDR rules. The main GDPR requirements applicable to organizations that are subject to this regulation are as follows.

• Personal data must only be used for a legitimate purpose. In addition, organizations must tell data subjects about what is done with their personal data.
• Organizations that process personal data must only use personal data for the stated reason, and it should be destroyed when it is no longer needed.
• The eleven rights of data subjects must be protected.
• One of six lawful prerequisites for data subject consent must be met, and the consent must be documented.
• Data breaches must be reported within 72 hours of the organization becoming aware of it.
• Organizations must consider data privacy and data protection at the start of data processing.
• Data protection impact assessments must be carried out if there is a “high risk to the rights and freedoms” of EU citizens.
• Transfers of data for processing in “a third country or to an international organization shall take place only if, subject to the other provisions of” GDPR requirements.
• Data controllers and processors must appoint a data protection officer in applicable cases detailed in the GDPR requirements.

Data protection awareness and training must be provided to any employee who handles the personal information of an EU citizen.

Do GDPR requirements apply to EU citizens who are not in the EU?
Yes, the personal information of all EU citizens is subject to GDPR requirements regardless of whether they are in the EU or abroad.

What organizations are subject to GDPR requirements?
Any organization that processes the personal data of any EU citizen must comply with GDPR or face penalties. This extends to all types of organizations—for-profit, nonprofit, and those in the public sector.