What is GDPR?
The General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and requires data processors and controllers that target or collect the personal data of European Union (EU) residents to uphold various privacy and security requirements. This applies to all companies regardless of whether they are based inside or outside of the EU.
Organizations that fail to comply with GDPR can be fined up to €20m or 4% of their annual revenue for the previous fiscal year, whichever amount is greater.
Who does GDPR apply to?
The GDPR applies to:
- a company that processes the personal data of EU citizens, regardless of where that data is processed.
- a company that is offering goods/services (paid or for free) to EU residents or is monitoring their behavior, regardless of whether that company was established inside the EU.
GDPR does not apply
Your company is a small tutoring service company operating online but based in the USA. Your company offers tutoring services on different types of academic courses and mainly targets individuals from France and Italy, in the EU. Students require login credentials (username and password) to access the online tutoring platform. The login credentials are provided after individuals from France and/or Italy fill out an enrollment form.
Your company is a cloud document repository service provider based in Brazil. The company provides services to customers in Argentina and Peru. Clients can use your services when they travel to other countries, including those within the EU. Since your company doesn't specifically target its services at individuals in the EU, it is not subject to the regulations of the GDPR.
Do I need to appoint a Data Protection Officer (DPO)?
To best determine whether your company needs a DPO, please seek legal counsel.
A Data Protection Officer (DPO) must be appointed if:
- The data processing is carried out by any public authority or body except for courts acting in their judicial capacity.
- Processing includes large scale, regular and systematic monitoring of people, for example online behavior tracking.
- Processing includes large scale processing of sensitive (special category) data or data relating to crimes and criminal convictions.
What are the GDPR requirements?
There are many GDPR requirements a company must adhere to, including:
- Providing a way for EU residents to know that their personal data is being collected and/or processed.
- Allowing EU residents to opt-out of certain personal data processing activities, request disclosure of their collected personal information in a portable format, and request that their personal data be forgotten.
- Documenting what personal information is collected, how it is processed, who has access to it, and the legal justification for collecting it.
- Encrypting, anonymizing, and/or pseudonymizing personal information.
- Implementing security controls and policies to safeguard personal data.
- Training personnel on GDPR requirements.
- Signing data processing agreements with third parties that process personal data.
- Establishing formal personnel roles around GDPR compliance and data protection, like hiring a Data Protection Officer (DPO).
Do I need an audit to prove GDPR compliance?
No, however any company processing EU personal data must abide to the GDPR law. You may have customers who will ask you to have an audit as an extra step to prove that you are compliant.
Am I a data controller or a data processor under GDPR?
To determine whether your company is a data processor, data controller, or both, speak to your legal team or outside counsel.
If your organization determines why personal data is processed and how that data is processed, then you are a data controller. If your organization processes personal data, which could include collecting, storing, transforming, or disclosing, based strictly on the orders of another party, then you are a data processor.
Compliance requirements differ if you are a data processor, a data controller, or both. The responsibilities of the processor on behalf of the controller are specified in a contract or other legal document.