The General Data Protection Regulation (GDPR) is the European Union’s updated and harmonized data privacy laws, codified on April 14, 2016, and approved as a law by the European Parliament on May 25, 2018.
GDPR replaced the EU Data Protection Directive from 1995 and emphasizes maintaining company transparency and enhancing data subjects’ privacy rights. The GDPR mandates that businesses report all impacted parties and the overseeing authority within 72 hours of discovering a severe data breach.
The GDPR’s requirements apply to any data created by EU citizens, regardless of whether the organization collecting the data is based in the EU. They also apply to all individuals whose data is stored in the EU, regardless of whether they are really EU citizens. Penalties for violation are specified in the GDPR as well.
The GDPR also defines the justifications for collecting personal data; the information must be gathered for a specified, legal reason and shouldn’t be utilized for any other purpose. A restriction on the amount of data that can be collected is also suggested by the legislation, which states that data collection should be “limited to that which is essential in relation to the purposes for which they are processed.”
If you are encountering the need to fulfill the GDPR compliance requirements and get certified (or recertified, after a long time), you must be facing a lot of questions, and consequently, feeling overwhelmed. That’s why we at Akitra decided to curate a series that answers the most often asked questions concerning GDPR. Our objective is to give you accurate and useful information that you can use to better comprehend this complex compliance framework.
Let’s start now!
What is GDPR?
Broadly, GDPR requires a company to do the following:
- Data considered “personal” by EU residents must be safeguarded and treated only as authorized;
- The data collected has protected and limited access;
- Certain precise conditions for the processing of the data by third parties must be included in contracts with those parties;
- EU citizens have a wide range of rights over their personal data, including the right to know what information a corporation has about them and the right to have that information restricted from being processed.
Additionally, certain rules for reporting data security incidents must be observed.
Three main goals were considered when creating the GDPR standards:
- Create a set of minimal standards for cloud-based companies handling the personal data of EU individuals;
- Replace the 1995 Data Protection Directive and the 28 different privacy laws currently in effect in EU member states with single privacy law;
- In order to keep up with technological advancements in the processing and transit of personal data, privacy laws need to be updated.
Learn more about how GDPR works, who should comply with it, benefits, violations, etc. with one of our previously-written blogs right here.
5 Most Frequently-Asked Questions About GDPR Compliance
- How does GDPR define “personal data”?
Any information pertaining to a specific or identifiable natural person (sometimes known as a “data subject”) is considered personal data. Numerous bits of information can be used to directly or indirectly identify or be able to locate a data subject. Names, ID numbers, photos, email addresses, bank account information, posts on social networking sites, medical records, and computer IP addresses are a few examples of information that may be deemed personal data. The term “personal data” has a fairly broad definition.
- Does my company need to register under the GDPR?
Except for special exemptions, any company, including single proprietors, that handles personal data must register with the ICO (Information Commissioner’s Office) and pay an annual fee.
Your charge is determined by your turnover and size:
- Tier 1: Micro organizations must pay £40 annually. These organizations must have a maximum yearly sales of £632,000 or no more than 10 employees.
- Tier 2 requires an annual payment of £60 from small and medium-sized businesses (with a maximum annual revenue of £36 million or no more than 250 employees).
- Large organizations (those who don’t fit the requirements for tiers 1 or 2) must pay £2,900 for Tier 3.
- Are there restrictions on the types of data my company can gather, and what are the obligations regarding collection notification?
The processing of personal data must have a legal basis, and the GDPR imposes some notification requirements. You should evaluate the requirements of GDPR for yourself and decide if you need to speak with your legal counsel to determine the application of the GDPR to your business because we are not in a position to give legal advice or to advise what steps are necessary on your side.
- What is the difference between a data processor and a data controller?
A controller is an organization that chooses the objectives, framework, and mode of processing personal data. An organization that manages personal data on behalf of a controller is known as a processor. The controller is in charge of handling requests from EU citizens pertaining to the GDPR and choosing which data should be erased and which data should be maintained for legally permitted purposes. Any company that is a data processor may assist clients who need support meeting a GDPR request from their subscribers. The data processor will not respond to the request made by the customer’s subscriber directly.
- What are the penalties for not complying with the GDPR?
Less severe GDPR sanctions:
For violations of the following articles, fines of up to €10 million or 2% of annual global turnover may be imposed:
- 8 (requirements for children’s permission);
- 11 (processing without identity required);
- (General Responsibilities of Processors and Controllers, 25–39);
- 42 (certification); and,
- 43 (certification bodies).
More severe GDPR penalties:
For violations of the following articles, fines of up to €20 million or 4% of annual global turnover may be imposed:
- 5 (principles governing data processing);
- 6 (lawfulness of processing);
- 7 (requirements for consent);
- 9 (processing of particular categories of data);
- 12–22 (rights of data subjects); and,
- 44–49 (data transfers to third countries or international organizations).
For more information, you can check out this article right here.
GDPR Compliance with Akitra!
Establishing trust is a crucial competitive differentiator when courting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that the organizations with whom they do business are doing everything possible to prevent disclosing sensitive data and putting them at risk. Compliance certification fills that need.
Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our service helps customers become certified for GDPR, along with other frameworks like SOC 1, SOC 2, ISO 27001, PCI DSS, HIPAA and NIST 800-53. Our compliance and security experts will also provide you with the customized guidance you need to confidently navigate the end-to-end compliance process.
The benefits of our solution include enormous savings in time, human resources, and money — including discounted audit fees with our audit firm partners.
Build customer trust. Choose Akitra TODAY!
To book your FREE DEMO, contact us right here.