The General Data Protection Regulation, or GDPR, is Europe’s data privacy and security law that went into effect on May 25, 2018. Governed by the EU’s Information Commissioner's Office (ICO), it imposes obligations on organizations around the world that target or collect data related to people in the EU.

Regardless of where you’re located, if your business collects and/or manipulates the personal data of EU residents—or does so as a subcontractor of another organization—then you need to comply with GDPR.

To get you up to speed, here are some of the basics about GDPR in general and GDPR compliance specifically.

The ins and outs of GDPR

Considered as the world’s strongest set of data protection rules, the full text of GDPR contains 99 individual articles and 173 Recitals. These are broken down into eleven chapters, including:

1. 1. General Provisions
2. 2. Principles
3. 3. Rights of the Data Subject
4. 4. Controller and Processor
5. 5. Transfers of Personal Data to Third Countries or International Organizations
6. 6. Independent Supervisory Authorities 
7. 7. Cooperation and Consistency
8. 8. Remedies, Liability, and Penalties 
9. 9. Provisions Relating to Specific Processing Situations
10. 10. Delegated Acts and Implementing Acts
11. 11. Final Provisions

Getting a little more into the knitty gritty, Chapter 2, Article 5 lays out GDPR’s seven protection and accountability principles, which are important to highlight:

1. 1. Lawfulness, fairness, and transparency
2. 2. Purpose limitation
3. 3. Data minimization
4. 4. Accuracy
5. 5. Storage limitation
6. 6. Integrity and confidentiality
7. 7. Accountability

Throughout the articles included in these chapters, there are constant references to and regulations pertaining to personal data, so before continuing, let’s take a more in-depth look at what that constitutes.

What constitutes personal data?

Personal data is defined as any information relating to an identified or identifiable natural person (also known as the ‘data subject’).

According to the GDPR text:

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Controllers, processors, and sub-processors

You’ll also need to know up front OR be educated on whether you’re a ‘Controller’, a ‘Processor’, a ‘Sub-Processor’, or any combination of these. Here’s a quick rundown:

• Controller: A data controller controls the procedures and purpose of data usage, dictating how and why data is going to be used by the organization. It can process collected data using its own processes or work with a third-party or external service. Ultimately, the controller has the most responsibility when it comes to protecting the privacy and rights of the data subject.

• Processor: A data processor processes the data that the data controller gives them, meaning it doesn’t own nor control the data. Processors are bound by the instructions provided by the data controller.
• Sub-Processor: When a data processor chooses to sub-contract some or all of the data processing to a third party, this entity is commonly referred to as a “sub-processor.” The processor must have prior written authorization from the data controller to pass on personal data processing to the sub-processor, and will remain fully liable to the data controller for the performance of the sub-processor.

Now that we have a better handle on the GDPR basics, let’s dive into how your organization can become compliant.

Becoming GDPR compliant

If you’re unsure of whether or not your business needs to be compliant, ask yourself the following questions:

• Do you do business in Europe/are you subject to the GDPR?
• What kind of information do you collect about your users or customers?
• Are any organizations you sell your service to required (or require you) to adhere to GDPR?
• Are you a Controller or a Processor (or both) of personal data for individuals in Europe?
• Are you a sub-processor for any organization that controls or processes personal data for individuals in Europe?

If your answer to any of these questions is yes, your organization needs to be GDPR compliant.

While GDPR.eu provides a general compliance checklist that applies to all organizations, the checklist for US companies also includes those requirements unique to US organizations; US companies should consider both lists. As we outline on this page, here are the eight items on that checklist:

1. 1. Conducting an information audit for EU personal data
2. 2. Informing customers why your company is processing their data
3. 3. Assessing your company’s data processing activities and improving protection
4. 4. Ensuring you have a data processing agreement with your vendors
5. 5. Appointing a data protection officer (if necessary)
6. 6. Designating a representative in the European Union
7. 7. Knowing what to do if there is a data breach
8. 8. Complying with cross-border transfer laws (if applicable)

Next steps

Thankfully, Strike Graph can support GDPR compliance and can even offer it as an add-on to a SOC 2 for any customer handling personal data of EU residents. Don’t worry, leave it to us; we’ll guide your organization as it designs, sets up, manages, and continually improves how it handles consumer personal data per GDPR requirements.