GDPR is a relatively new compliance framework – in force since 2018 – but one that has rapidly gained momentum. Owing to the globalized adoption of online services and the accompanying threats to the privacy of personal information, it has become all too necessary to put proper privacy protection measures in place.
GDPR is a compliance framework that applies to the personal information of all EU citizens, dictating specific guidelines that companies should follow when collecting, processing, storing and using confidential information. This heavily affects SaaS businesses, regardless of where they are based, that have customers located in the EU.
If you’re asking yourself whether you need to comply with GDPR, you will want to take a look here. This blog explores what you need to know about GDPR compliance.
Let’s dive into it!
What is GDPR?
The General Data Protection Policy (GDPR) is the world’s most stringent data privacy regulation. It governs how online businesses gather, process, and protect the personal data of EU citizens. It also governs the transfer of personal data outside of the European Union.
GDPR mandates that users have control over how their personal data is collected, shared, and used. They have the right to have their personal information (a) protected, (b) used lawfully and fairly, (c) updated or erased if they request it, and (d) made available if they request a copy.
The GDPR standards were written with three key objectives in mind:
- Establish a set of minimum requirements for online businesses that handle personal data of EU citizens
- Replace the different privacy laws in the 27 EU member states with one common privacy protection framework
- Update privacy legislation to reflect technological changes in the processing and transmission of personal data.
The GDPR legislation adopted by the European Parliament and European Council is complex: 88 pages of compliance criteria, scenarios and enforcement methods. The regulation took effect in May 2018. It also governs the UK, even though that country has left the EU, since the UK adopted its own legislation harmonized with GDPR.
Who Should Comply with GDPR?
GDPR applies to any entity (person, business, or organization) that collects or processes personal data from any person in the European Union. “Personal data” concerns any data that allows an individual person to be identified. Any company with an app or website that collects data about its users from the EU must comply with GDPR.
The law is drafted in this manner because it is intended to safeguard the data and privacy rights of all EU internet users, regardless of where they venture online or make a purchase.
In short, if you conduct business with EU citizens, you must legally comply with GDPR. And if you want to inspire trust in your EU customers so that they will actually want to do business with you, then GDPR is a must for your brand.
What Data Comes Under GDPR?
“Personal information” or “personal data,” as defined by GDPR, refers to almost any data if it can be tied to an identifiable individual, such as:
- Name
- Contact information
- IP addresses
- Geotagging and location data
- Recordings (audiovisual and audio)
- Medical records
- Posts on social media
- Opinions on religion and politics
If it is generally possible to identify the person using pseudonymous data, it is also deemed as personal data.
An important principle governing the kind of data that can be legitimately collected is that it conform to the principle of “data minimization” – that is, that the information be relevant to a business purpose. A consumer’s politics or sexual orientation isn’t relevant to selling that person a plane ticket to Cancun.
How Does GDPR Help with Compliance with California’s CCPA?
The California Consumer Protection Act (CCPA) is an act of the California legislature that covers similar ground to GDPR. In some respects the CCPA is looser (more time allowed to rectify a violation) and in other ways it is more restrictive (covers a wider range of what’s considered personal information) than GDPR. But both GDPR and the CCPA are concerned with privacy and have a lot of overlap. For example, in both cases companies must allow consumers to see what personal data is being collected about them and which parties it is being shared with, as well as to have the right to have the data removed if so requested.
The CCPA covers companies that serve California residents. Such companies are required to observe the CCPA if they have collected personal data from 50,000 or more people or have more than $25 million in revenue. A company does not have to be based in the US to be subject to the CCPA – and the fines for non-compliance can be thousands of dollars per record.
This overlap provides yet another good reason to become GDPR compliant: because it gets you most of the way towards being CCPA compliant too.
Concepts Related to GDPR
The following are some helpful terms and concepts for navigating GDPR:
- You are a “data subject” if a cloud-based company collects or uses your personal information. The “data controller” is the company that owns the data.
- The data controller has the authority to delegate the processing of your personal data to another person or entity, called a “data processor”.
- Processing is the act of handling and storing your personal data.
To be authorized to process data under GDPR, businesses must establish one of the six legal bases listed below: permission, legal obligation, contract, public task, vital interests, and legitimate interest.
Businesses can obtain verified consent by having consumers agree via online form to the collection and sharing of their personal data, for example. However, users have the right to withdraw their consent at any time, and organizations must stop processing when this happens.
When Should We Worry about GDPR Compliance?
If you aren’t already GDPR compliant, you should do it right away because the penalties for non-compliance can run to millions of dollars. Accountability is a key principle of GDPR. The scale of fines depends on multiple factors, such as whether or not a breach occurred, the number of users and records involved, and the extent of the data security measures taken by the company. Before launching a new EU-accessible website or app that will service EU users, it’s best to understand GDPR’s requirements and become compliant as soon as possible.
Is GDPR Compliance Required for Companies Outside the EU?
Because the GDPR was created to safeguard EU users, even organizations operating outside the EU must comply if they want to collect data from EU users.
If you are a US-based SaaS company and your product is only available to customers residing in the US, you won’t need to comply with GDPR. But, most SaaS companies do not limit their potential customers in this way, even if EU customers are not the primary target. So, better to build in compliance from the outset rather than have to retrofit the product after the fact.
Where Do I Get Started?
Don’t panic if you’ve suddenly realized you need to comply with GDPR. Akitra will guide you through the whole process, until you achieve certification.
Akitra can provide your company with a compliance automation solution that will streamline your GDPR readiness process and make you audit-ready in less than half the time and at less than half the cost of traditional, manual evidence-gathering and auditing processes. And, if you need to prove compliance with other frameworks such as SOC 1, SOC 2, ISO 27001, NIST 800-53 or HIPAA, Akitra will provide compliance automation services for those too.
To book your FREE DEMO, contact us right here.
