What is GDPR?

GDPR stands for General Data Protection Regulation. It is a European Union (EU) law that governs the way organizations can use, process, and store personal data.

Its aim is to give consumers control over their personal data and hold companies to certain standards when they handle and use this information. The regulation applies regardless of where websites are based, which means all sites attracting European visitors—even if they don’t specifically market goods or services to EU residents—must follow GDPR.

Who does GDPR apply to?

GDPR applies to any entity or organization that offers goods or services to or targets and collects data related to people in the EU. In other words, companies must abide by GDPR if their sites attract European visitors, even if that is not necessarily their target audience.

In simple terms, what does GDPR do?

GDPR gives consumers more control over how companies use their personal data by allowing them to refuse companies the right to collect, use, or share their personal information. Companies must inform consumers on how they use consumer data and each time it’s at risk.

Does GDPR apply to all data?

GDPR only applies to personal data, which means any information relating to an individual.

What are the fines for GDPR noncompliance?

GDPR fines fall under two categories. The less severe infringements can result in fines
of up to €10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

The more severe infringements can result in fines of up to €20 million or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

How do companies become compliant under the General Data Protection Regulation?

To remain compliant under GDPR, companies must follow the steps below:

Step 1: Conduct an information audit for EU personal data

First, organizations must assess whether they process any personal data and whether that data belongs to EU citizens. If companies process such data, they’ll need to determine if “the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.”

Step 2: Inform customers why their data is processed

When gathering customer data, companies must receive customer consent, which may mean reviewing the GDPR consent requirements and updating the privacy policy. Organizations will want to pay special attention to making their data activities clear and transparent to subjects.

Step 3: Assess data processing activities and improve protection

GDPR provides a data protection impact assessment that helps businesses understand the security and privacy risks of processing customer data and find ways to avoid those risks. GDPR-compliant companies will need to perform data security using end-to-end encryption or organizational safeguards.

Step 4: Make sure to have a data processing agreement with vendors

Companies processing customer data are responsible for third-party clients if they violate their GDPR requirements. A data processing agreement outlines the rights and responsibilities of each party.

Step 5: Appoint a data protection officer (if necessary)

According to GDPR, many organizations (especially larger ones) must employ a data protection officer. The GDPR outlines the qualifications and responsibilities of the position.

Step 6: Designate a representative in the European Union

Some non-EU organizations need to appoint a representative based in one of the EU member states.

Step 7: Have a plan for data breaches

All companies are responsible for minimizing the impact of harm if personal data is exposed through hacks or other data breaches. Strong encryption can protect businesses from needing to pay fines or data breaches.

Step 8: Compliance with cross-border transfer laws (if applicable)

Entities wishing to transfer personal data to non-EU countries must comply with GDPR requirements and even self-certify under the Privacy Shield Framework.