What are the main requirements of the GDPR

Compliance & Law

The General Data Protection Regulation (GDPR) - also known in this country as the EU General Data Protection Regulation (GDPR) - will significantly change the way companies handle the data of EU citizens. When the GDPR goes into effect, companies doing business in EU countries will have to be prepared. From this point on, the GDPR regulates not only how the personal data of citizens must be stored and protected during EU-internal transactions, but also the export of such data to countries outside the European Union. Companies that store or process personal data of EU citizens must comply with these guidelines from May 25, 2018.

The regulations apply equally to all 28 EU member states. However, this EU-wide standard is also set quite high and will mean that most companies will have to make larger investments. The GDPR consists of 99 articles that define the rights of EU citizens and the requirements for companies, as well as the penalties for non-compliance. We have summarized the most important requirements of the General Data Protection Regulation for companies. The full text of the law can be found here.

GDPR: handling of personal data

Article 5, processing of personal data: All personal data must be processed in a lawful and traceable manner and only collected for specified purposes. The data may be stored in a form that enables the identification of the data subjects only for as long as is necessary for the purposes for which they are processed. The data must be processed in a way that ensures adequate security of the personal data - including protection against unauthorized or unlawful processing by means of suitable technical and organizational measures. These measures, in turn, are not precisely defined. However, it can be assumed that a company will be classified as non-compliant in the event of a data theft.

Article 6, 7 & 8, consent: All personal data must be processed in a lawful manner. In plain language, this means that each individual must expressly consent to the use of their personal data. The data collected must also be necessary to complete a task or transaction that was initiated by the person concerned. The only exceptions are authorities.

  1. One law for everyone
    The same data protection rules apply across the EU. This also means increased responsibility and liability for everyone who processes personal data.
  2. "Right to be forgotten"
    If users do not want to see their data processed further, they will be deleted - provided there is nothing against it from a legal point of view.
  3. "Opt-in" instead of "Opt-out"
    If personal data is to be processed, users must actively consent (and not actively disagree as before).
  4. Right to transparency
    Users have a right to transparency - they can find out what data about them is collected and how it is processed.
  5. Access and portability
    Access to the data stored by third parties about oneself should be easier. In addition, dart portability must be guaranteed - i.e. it must be ensured that personal information can be more easily transferred from one service provider to another.
  6. Faster reporting
    If a data loss occurs, companies and organizations usually have to comply with their official reporting obligation within 24 hours, but at least as quickly as possible.
  7. Less chaos with authorities
    Companies only have to deal with a single supervisory authority - and that is where they are headquartered.
  8. Cross-border
    Private users are allowed to report any data misuse to their national supervisory authority - even if the data concerned has been processed abroad.
  9. Extended scope
    The EU directive also applies to companies that are not based in the EU as soon as they offer goods or services in the EU or even only conduct online market research among EU citizens.
  10. Fines Higher
    If a company violates data protection regulations, it faces a fine of up to four percent of annual sales.
  11. Reducing bureaucracy
    Administrative circumstances such as reporting obligations for companies that process personal data are eliminated.
  12. Only from 16
    Legally effective registration with internet services such as Facebook or Instagr.am should generally only be possible for young people from the age of 16 - because they can only give valid consent to the processing of their personal data from this age. According to the data protection ordinance, national laws should make exceptions possible here.
  13. Strengthening the national supervisory authorities
    National data protection authorities are being strengthened in their competencies so that they can better implement the new EU rules. Among other things, they can prohibit individual companies from processing data. can stop certain data flows and impose fines on companies that amount to up to two percent of the respective worldwide annual income. In addition, they are allowed to initiate legal proceedings on data protection issues.

    (Source: Forrester Research)

Article 15, right of access: EU citizens have the right, upon request, to find out which of their personal data a company uses for which purposes.

Article 17, right to cancellation: Companies must delete their personal data at the request of an EU citizen.

Article 20, right to data portability: Citizens of the European Union can arrange for their personal data to be transferred upon request.

Article 25 & 32, data protection: Companies must take appropriate technical measures to meet the requirements. What exactly "appropriate" means in the sense of the GDPR is explained in more detail in Article 32.

GDPR: Reporting obligation & penalties

Article 33 & 34, obligation to notify: Companies must report security incidents to the responsible authorities and the persons concerned within 72 hours of becoming aware of them.

Article 35, impact assessment: Companies are obliged to carry out a data protection impact assessment in order to be able to assess the risks for EU citizens. The assessment must also provide information about the measures the company is taking to minimize the risks that have arisen.

Articles 37, 38 & 39, data protection officer: Some companies are obliged to appoint a data protection officer who monitors and ensures both the data protection strategy and GDPR compliance. A data protection officer is needed by companies that store or process large amounts of personal data from EU citizens and that carry out regular data reviews. State authorities must also appoint a data protection officer. The International Association for Privacy Professionals (IAPP) assumes that there are currently around 28,000 positions to be filled for data protection officers.

Article 50, International Cooperation: Internationally active companies that collect, store or process personal data from EU citizens must comply with the guidelines of the General Data Protection Regulation.

Article 83, penalties: In the event of violations, companies can face fines of up to 20 million euros - or four percent of total global sales.

This article is based on a contribution from our US sister publication csoonline.com.