The GDPR basics your business needs to know
We’ve all experienced situations when a few bad apples made life harder for everyone. There are plenty of examples of this in today’s world, but one of the most far-reaching examples is the need for data protection regulations. Some web-based businesses were taking advantage of customers’ data and disregarding their privacy, leading to widespread laws like the GDPR that everyone needs to follow.
When people talk about the GDPR, meaning the EU’s data privacy law, what do they mean? What does GDPR stand for, what is GDPR compliance, and what do you have to do to be compliant? To bring you up to speed, we’re covering all the essentials in this GDPR overview.
When did GDPR go into effect?
GDPR stands for General Data Protection Regulation. This is a regulation that was signed into law across the EU in 2016.
The GDPR is a response to the massive growth of technology and the way it has turned consumer data into both a commodity and a potential weapon. It was passed by the EU in 2016 and took effect on May 25th, 2018, meaning that organizations had to be fully GDPR compliant by May 2018.
The GDPR isn’t the EU’s first regulation designed to protect private data. In 1995, it released the 1995 Data Protection Directive, which laid out rules for processing and transferring data in the EU. The GDPR is essentially a modernized regulation with the same goal, designed to better reflect the way data is handled today and the fact that it is functioning as a form of currency. The 1995 Data Protection Directive also allowed every country in the EU to make its own data privacy laws, which created a logistical mess for businesses and regulators, so the GDPR fixes this with one unified regulation.
When the GDPR took effect in 2018, it was among the strictest data privacy regulations in existence, and it remains so today. An update to the GDPR was published in 2021 as well, removing the Privacy Shield to make it easier for US businesses to serve EU customers and changing the laws for cookie consent.
A refresher on GDPR basics
The goal of the GDPR was to give users and customers more transparency about their data and how it is collected and used, give users more control over their data, and protect users’ data privacy from unwarranted access.
The GDPR includes a variety of steps any business must take if they are collecting data from anyone in the EU. Understandably, though, EU authorities gave businesses time to get the necessary procedures in place. So, the GDPR effective data was in May 2018. Although, if you’re wondering when did GDPR go into effect, you probably only need to think back to when you started seeing pop-ups about allowing cookies on every site you visited.
GDPR compliance meaning and guidelines
For your organization to be considered “GDPR compliant,” you must adhere to all of the guidelines and requirements laid out in the GDPR. That involves having certain consent options on your site, incorporating and enforcing certain policies for how data is handled, and so on.
Keep in mind that the GDPR is a law, not a standard. Unlike security standards, there is no certification that deems you to be “GDPR compliant.” You are responsible for ensuring that you are following the law, and there can be serious penalties and fines if you are found to be in breach of the GDPR. These fines can be tens of millions of dollars or more - the highest penalty to date is €746 million (about $787 million US). Double check your organization’s compliance with our GDPR checklist to avoid severe penalties.
As a whole, the GDPR is designed to protect consumer data for EU residents. There are seven guiding principles it uses to carry out that goal.
Lawfulness, fairness, and transparency
Organizations must collect data with fairness and transparency, allowing consumers to understand what is being collected about them rather than gathering data behind their backs.
When organizations collect data, it doesn’t become free for them to use in any way they choose. In alignment with the GDPR, organizations can only use collected data for specific purposes that they have communicated to the consumers.
The GDPR requires organizations to only collect data that is necessary for their purposes, so they are receiving as little data as is possible or reasonable from consumers.
To protect users from being targeted based on inaccurate data, the GDPR requires organizations to make a reasonable effort to keep consumers’ data accurate and up to date.
The GDPR requires organizations to only keep consumers data for as long as is necessary for them to process it appropriately.
Integrity and confidentiality
Organizations must take measures to keep consumer data secure and confidential to protect it from unauthorized access.
The GDPR holds organizations accountable for how they use and handle consumer data, including intentional misuse and careless disregard for consumer privacy.
What rights are granted under the GDPR requirement?
The core GDPR principles revolve around a set of rights that the legislation guarantees to people in the EU. These include:
- The right to be informed about your data and how it’s being collected and used
- The right of access to the data being collected
- The right to rectification or the right to correct inaccurate data
- The right to erase any and all data a company has stored about them at their request
- The right to restriction of processing by requesting that you stop or change the way you’re processing their data
- The right to data portability, meaning that they can request that any and all data be transferred from one company or service provider to another
- The right to object
- Rights regarding automated decision-making and profiling
This “bill of rights” forms the core basis for the GDPR and sets the tone for the rules and regulations that businesses need to follow.
What are the GDPR rules I need to follow?
The GDPR regulations include a complex list of rules and requirements for businesses to follow. These include security protocol, user communication policies, data management practices, and more to protect those eight rights guaranteed to users.
One type of requirement in the GDPR involves getting consent from users to collect and process their data. Before this regulation, it was assumed that users consented to their data being collected and used unless they stated otherwise. This is called implied consent, and most users had no idea what they were “consenting” to. The GDPR flips this so companies can only collect data if users give their written consent.
You’re also required to have processes in place for communicating your data usage transparently to users. You need to have clear and easy ways for users to put their GDPR data protection rights into action, like ways for them to request the erasure of their data or to request access to the data you’ve collected about them.
Another key component of the GDPR policy is data security. You must have systems in place that keep users’ data reasonably safe from unwarranted access like hacks and data breaches. As part of this, you need to have internal access controls to make sure user data can only be seen and used when absolutely necessary. You must also have protocols for alerting authorities quickly about any data breaches or risks to user data.
If your company isn’t located within the EU, another key requirement is to have a representative in the EU who can be the primary point of contact with EU authorities about GDPR matters.
This is not a comprehensive list of the GDPR requirements but a general summary of the types of policies, protocols, and protections you’ll need to have in place for EU GDPR compliance.
Who needs to comply with the GDPR?
Most data privacy regulations apply to companies based in a particular area. The GDPR is different. This law protects anyone in the EU, so in terms of requiring companies to comply with the requirements, who does the general data protection regulation apply to? It applies to any company that collects data from anyone within the EU.
Generally, that means any company with a website needs to follow the GDPR law. You may not be actively marketing to EU customers, but if an EU-based user could visit your site and have their data collected, the GDPR applies to you. The rare exception would be a company that cannot or does not do business with EU-based customers, such as a site that is geographically blocked from EU users.
How can I make the GDPR compliance process as smooth as possible?
If you’re doing business in a way that requires you to follow the GDPR, the compliance process doesn’t have to be as arduous as you might expect. There are specialized tools that can help.
Compliance software, for example, will automatically scan your system and compare it against the checklist of requirements for GDPR data privacy. The software gives you a clear list of what criteria you already meet and what you need to put in place for full compliance.
More about GDPR compliance
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
The compliance news you need. Delivered securely to your inbox.