GDPR Compliance

A Complete Introduction

What is GDPR?

The General Data Protection Regulation (GDPR) of April 2016 covers privacy and data protection in the European Union (EU), and the European Economic Area (EEA). However, it also extends far beyond the EU, touching data transfer outside the EU and any business that engages in related activities.

The GDPR replaces the outdated Data Protection Directive of 1995 to address changes caused by moving commerce online. It sets consistent provisions and a single standard to meet for all 28 EU member states, but it is a high standard.

The GDPR protects several types of private data:

  • Basic identity information such as name, address and ID numbers
  • Web data such as IP address, location, RFID tags, and cookie data
  • Biometric data
  • Health and genetic data
  • Racial or ethnic data
  • Sexual orientation
  • Political opinions
  • Any information that relates to an identified or identifiable living individual

Even if they do not have a business presence within the EU, any company that stores or processes personal information about EU citizens within EU member states must comply with the GDPR. Specifically, a company must demonstrate GDPR compliance, also sometimes called GDPR cloud compliance and GDPR IT compliance, if they meet one of these criteria:

  • The business has a presence in an EU country;
  • No EU presence, but the company processes the personal data of EU residents;
  • The organization has more than 250 employees; or
  • The company has fewer than 250 employees but its data-processing is not occasional, impacts the rights and freedoms of data subjects, or includes specific types of sensitive personal data.

It’s that last point that effectively includes nearly all businesses.

The GDPR grants users 8 basic data privacy and personal data rights:

The right to access. Individuals can request access to their personal data and may ask about how their data is processed, used, stored, or transferred. If requested, organizations must provide a free, electronic copy of the personal data.

The right to be informed. Entities must inform users of their rights and acquire free, actual consent before collecting and processing the data of users—implied consent is not enough.

The right to data portability. At any time, individuals must be able to transfer their data from one service provider to another in a machine-readable, commonly used format.

The right to be forgotten. Users who withdraw their consent to use their personal data or are no longer customers have the right to have their data deleted.

The right to object. Users who object to a company’s use or processing of their data can request that they stop, and if they do, that processing must stop immediately upon that request, no exceptions.

The right to restrict processing. In lieu of objecting entirely, individuals can ask companies to restrict processing, either stop a specific type of processing, or stop processing the data altogether. If they choose, their data can remain in place.

The right to be notified. In the event of a compromising breach of personal data, individuals have the right to be notified within 72 hours of the entity’s first knowledge of the personal data breach.

The right to rectification. Users can request that companies complete, update, or correct their personal data.

Any entity that controls or processes personal data must implement the data protection principles using appropriate organizational and technical measures (see discussion of implementation below). Companies subject to the EU must consider these GDPR compliance principles as they design and build business processes for managing personal data and safeguard data using anonymization or pseudonymization as appropriate.

Processing of personal data can only be undertaken under one of the six lawful regulatory bases: contract, consent, legal requirement, vital interest, public task, or legitimate interest. At any time, the subject of data processing has the right to revoke their consent.

Taken as a whole, these new rights and obligations faced by businesses present a number of GDPR compliance challenges. This guide is intended as a GDPR compliance roadmap for organizations facing those challenges.

What Information Does GDPR Cover?

The GDPR covers any company or other organization that offers goods or services to or processes the personal data of residents or citizens of the EU. It is irrelevant if the entity itself is inside the EU.

The GDPR defines an array of legal terms at length. Below are some of the most important ones:

Personal data. Personal data includes any information that relates to an individual who can be identified, either directly or indirectly. This obviously includes names and email addresses, but it also includes biometric data, ethnicity, gender, location information, political opinions, religious beliefs, and web cookies. Pseudonymous data may also be personal data if it’s reasonably easy to identify someone using it.

Data processing. Any action, whether automated or manual, performed on data, including gathering, organizing, recording, storing, structuring, using, and erasing—almost anything to do with data falls under the heading of data processing.

Data subject. Service users, site visitors, customers, and anyone else whose data is processed are data subjects.

Data controller. The data controller decides for the organization how and why the organization will process personal data.

Data processor. Any third party, such as an email service or cloud provider, that processes personal data for a data controller, is a data processor.

FAQs

What is GDPR Compliance?

To achieve GDPR cloud compliance, there are several critical areas with their own GDPR requirements to understand.

 

Data protection principles

All entities who process data must adhere to the seven protection and accountability principles Article 5.1-2 of the GDPR outlines. We discuss these below in their own subsection.

 

Accountability

The GDPR requires data controllers to demonstrate compliance. In fact, ability to prove compliance is itself a requirement. There are several ways to achieve this:

  • Detail and assign data protection responsibilities within the company.
  • Carefully document the nature of all collected data, how it is used, who is responsible for it, where it is stored, and anything else to do with it, in one secure location.
  • Implement organizational and technical security measures and train your staff on them regularly.
  • Secure Data Processing Agreement contracts with all third party data processors.
  • Appoint a Data Protection Officer (DPO) if needed (see below).
  • Ensure you are able to respond to all requests for data, GDPR audits, and GDPR related demands for documentation.

 

Data security

There are several basic data security principles set forth by the GDPR:

Entities must handle data securely. To do this, they are required to implement any organizational and technical measures that are appropriate.

Organizational measures may include making a data privacy policy part of the employee manual, training staff, or limiting access to personal data only for certain employees who have a direct need to work with it.

Technical measures may mean any number of things, from contracting only with third parties that use end-to-end encryption, to requiring employees to use strong authentication anywhere personal data is stored.

In the event of a personal data breach, entities must inform data subjects within 72 hours or face penalties. In some situations, the requirement for notification may be waived if technological safeguards that render data useless to an attacker are in place, such as encryption.

 

Data protection by design and by default

The GDPR standard of data protection “by design and by default” covered in Article 25 means that data protection principles must be considered in the design of any new activity or product. For example, if a business wants to develop a new application, it must consider what personal data the app might collect from users in any situation, seek out ways to minimize how much data it collects, and use the latest technology to secure it.

 

When processing data is permitted

Article 6 explicitly lists when it is legal to process personal user data. Do not collect, use, store, sell, or do anything else to personal data unless you can justify it in one of the ways detailed under the GDPR: consent, contract, legal requirement, vital interest, public task, or legitimate interest.

Consent. Consent means you received specific, unambiguous consent from the data subject to process the data. An example is a customer who opts in to an email marketing list. (See below.)

Contract. In this case, the requirements of a contract to which the data subject is a party necessitate data processing. An example of this is a job applicant who must undergo a background check before completing the process and getting the job.

Legal requirement. Data processing is required to comply with a legal obligation. For example, the business receives a court order.

Vital interest. You need to process the data to protect or save someone’s life. For example, if the person is incapable of consenting to emergency medical care, this may apply. It does not apply if they are capable of consenting but withhold consent.

Public task. If data processing is essential to performing some official function or a task in the public interest, it may be allowed here. For example, a public or private utility or garbage collection entity would be able to process data sufficient to achieve their tasks.

Legitimate interest. If a processor has a legitimate interest to process a user’s personal data they may if they document it well. However, the rights of the data subject always override these interests, particularly concerning the data of children. Furthermore, although this basis is the most flexible, it is also risky to use widely (see below).

You must document the lawful basis for your data processing that you have determined, and notify the data subject. Any changes to your justification for data processing must always be justified, documented, and provided to the data subject.

 

Consent

There new rules surrounding what constitutes data subject consent are strict. To process the personal information of a data subject:

  • Consent must be specific, informed, freely given, specific, and unambiguous.
  • Requests for consent must be made in plain, clear language and they are required to be “clearly distinguishable from the other matters.”
  • Data processors must honor the wishes of data subjects, who can withdraw consent at any time. Data processors cannot avoid withdrawal of user consent by changing the justification for the processing.
  • Parent permission is required for children under 13.
  • Data processors must retain documentary evidence of consent.

 

Legitimate interest

The most flexible of the lawful bases for processing personal data under the GDPR, legitimate interest applies whenever an entity uses personal data in a way that data subjects would expect. The interests in question might be those of society, a third party, or the organization itself.

Typically, legitimate interest applies when:

  • There is a clear benefit to data processing although it isn’t required by law;
  • The processing creates little risk to user privacy; and
  • The data subject should reasonably expect that their data would be processed in this way.

Among the specific types of data processing the GDPR highlights as legitimate interests are:

  • Network and information security
  • Fraud prevention
  • Indicating possible threats to public security or criminal acts

Processing client or employee data, intra-group administrative transfers, and direct marketing will generally also be considered legitimate interest.

This broad legitimate interests umbrella may appear attractive, but it is not usually the most appropriate lawful basis for most data processing activities. The tradeoff for the legitimate interests flexibility is that it can only be used with thorough documentation. Each use of this basis must be thoroughly documented and substantiated.

Data subjects as always can object to the processing of their data and force processors to remove their records using a data subject access request (DSAR). This requires the processor to turn over a full record of the user data the entity holds on them as well as the justification for collecting it.

If legitimate interest is your justification, the burden is on the data processor to prove that you were, in fact, justified even if the user disagrees. This burden falls on your documentary evidence and reasoning, and opens the organization up to scrutiny and the potential for a large fine. Furthermore, if at any time users show that you’ve established a pattern of unsound “legitimate interestdata processing, this may show a trend of unlawful data collection under the GDPR—even if that was never the intent.

 

Data Protection Officers

Not every data processor or data controller must appoint a Data Protection Officer (DPO). There are three conditions that necessitate such an appointment:

  • The entity is a public authority other than a court;
  • The entity’s core activities demand the systematic, large-scale monitoring of people;
  • The entity’s core activities include large-scale processing of special categories of medical or legal data listed under Article 9 and Article 10 of the GDPR.

Even if it is not required, there are benefits to designating a DPO. The role of the DPO is to understand the GDPR at a deep level, interpret how it applies to the organization, liaise with regulators, conduct data protection trainings, advise members of the organization about their responsibilities, and audit and monitor the organization for GDPR compliance.

 

Individual privacy rights

Data subjects enjoy a range of new privacy rights under the GDPR. The collective aim of those rights is to shift control over personal data from organizations back toward individuals. Understanding these privacy rights of data subjects is important to ensuring GDPR compliance:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Automated profiling and decision making rights.

What are the 7 Principles of GDPR?

Article 5.1-2 outlines seven protection and accountability principles for processing data:

 

Lawfulness, fairness and transparency. Data processing and control must be fair, lawful, and transparent to the data subject.

Purpose limitation. Data processing must be limited to the legitimate, explicitly specified purposes which the data subject understood when the data was collected.

Data minimization. Data processors should collect and process only the amount of data that is absolutely necessary for the specified purposes.

Accuracy. Data processors must maintain accurate, updated personal data.

Storage limitation. Data controllers and data processors may only store personally identifying data for as long as the specified purpose makes necessary.

Integrity and confidentiality. Data processing methods and technologies must ensure appropriate integrity, security, and confidentiality, such as by using encryption.

Accountability. The GDPR holds data controllers accountable by making them demonstrate GDPR compliance with each principle.

Who is Responsible for GDPR Compliance?

There are several roles defined by the GDPR that are responsible for ensuring compliance: the data controller, the data processor, and the Data Protection Officer (DPO).

The data controller determines how and why personal data will be processed and clarifies the purposes for the processing. The data controller is also responsible for ensuring outside contractor compliance.

Data processors can include groups internal to the organization that maintain and process personal data, but can also include any third party or outsourcing firm that performs all or some of these activities. Data processors are liable under the GDPR for breaches or non-compliance—even when the fault is not jointly shared. This means that your organization and a third-party provider will all be liable for GDPR fines even if all the blame goes to a data processing partner.

In many situations, the GDPR requires the designation of a DPO. Organizations must designate a DPO if they process or store special personal data, store or process large amounts of data from EU citizens, are a public authority, or regularly monitor data subjects. Certain public entities may be exempt from the DPO requirement, such as law enforcement.

The Data Protection Officer (DPO) is responsible for GDPR cloud compliance. The DPO is a leadership role within data processing organizations that is responsible for overseeing the general approach to data protection. The DPO also manages and implements organizational strategies aimed at data protection. The DPO is not held personally accountable for non-compliance.

In organizations without a DPO, responsibility for GDPR compliance reverts back to all data controllers and data processors.

What Happens if I am not GDPR Compliant?

The GDPR has fundamentally shifted how businesses think about and handle personal data. At a minimum, organizations must now demonstrate to officials that they are actively working towards compliance and accountability or face the consequences of GDPR non-compliance. Any entity that fails to adhere to these new norms face severe, tiered penalties as high as 4 percent of global revenue, or $24.4 million, whichever is greater, depending on the circumstances of violations and their severity.

Why US Companies Must Comply with the GDPR

Organizations outside the EU must comply with the GDPR because its scope, like that of other agreements and treaties, is extra-territorial. The law itself is designed to protect the rights of data subjects, not so much to regulate businesses. Under the GDPR, a data subject is any person within the EU, including residents, citizens, and visitors, perhaps.

In practice, this means that any organization that collects any personal data of people in the EU is required to comply with the GDPR and should develop a GDPR compliance strategy. This includes IP addresses of website visitors, email addresses in a marketing list, or any other personal data.

How can the EU enforce laws in territory outside its control? It is actually commonplace for countries and foreign governments to assist each other in enforcing local laws through mechanisms such as extradition treaties and mutual assistance treaties. Article 50 of the GDPR directly addresses this issue.

Who Monitors GDPR Compliance?

Each member state of the EU appoints one independent, public supervisory authority—a body responsible for supervising GDPR IT compliance statewide. This body is called the Data Protection Authority (DPA). DPAs supervise how organizations apply data protection laws using both investigative and corrective powers. DPAs provide data protection expertise and handle complaints concerning GDPR violations and relevant national laws.

Typically, the DPA of an organization’s home EU Member State is the main contact point for questions on data protection. However, organizations which are part of conglomerates established in different EU Member States or who process data in different EU Member States may have a DPA in another EU Member State as their main contact point.

Although the United States was the source of the first proposal for a federal data protection agency back in the 1970s, it remains among the few world democracies that lacks such an agency. However, aggressive use of the FTC Act’s Section 5, which prohibits deceptive or unfair trade practices, has made the FTC the de facto DPA in the US.

How to Implement GDPR Compliance

Use this GDPR compliance checklist to better understand the basics of GDPR compliance, to help implement GDPR compliance, or to achieve voluntary GDPR certification under Article 42(3). You will be working to implement GDPR IT compliance in four areas: lawful basis and transparency; data security; accountability and governance; and privacy rights.

 

Lawful basis and transparency implementation steps

  • Conduct an information audit

Confirm the organization’s need for GDPR compliance. Identify all personal data in the organization’s possession, and determine which of that information belongs to people in the EU. If the entity possesses that kind of data, use Recital 23 to clarify whether the organization is subject to the GDPR; that recitation states that the data processing activities in question must be related to offering data subjects goods or services, whether or not they are connected to a payment. All organizations subject to the GDPR should then move to the audit stage.

Conduct an information audit to determine what data the organization processes and who within the company can access it. The data protection impact assessment is the best way to demonstrate cloud GDPR compliance.

Some organizations are required to maintain a detailed, updated list of their data processing activities they can show to regulators upon request. This mainly applies to organizations that conduct higher-risk data processing or that have at least 250 employees, but other organizations will find GDPR IT compliance easier to achieve if they conduct an assessment.

Include in the list: what kind of data being processed, the purposes of the data processing, who within the organization can access the data, any third parties that can access the data and where they are located, what steps the organization is taking to protect the data such as end-to-end encryption, and, if possible, when the data will be erased.

  • Inform users and customers

All data processing activities must have a legal justification. Unless it is justified according to one of six conditions listed in Article 6, data processing is illegal under the GDPR. Articles 7-11 detail other provisions related to special categories of personal data such as those connected to children. Articles 6 through 11, select a lawful basis for data processing, and carefully document the chosen rationale.

Consent is only one option among six. If you choose to engage in data processing based on user consent, there are extra required duties, such as providing data subjects with an ongoing opportunity to revoke that consent.

Entities must be able to demonstrate that they have conducted a privacy impact assessment to use legitimate interests as a lawful basis.

Article 12 requires that organizations provide transparent, clear information about data processing activities to their data subjects. This typically includes updating the privacy policy to include detailed, clear information about legal justification and data processing activities, including why personal data is being collected. The policy should explain how the organization processes the data, who can access it, and how the company safeguards the data.

Entities must provide the privacy policy which includes all of this information to data subjects at the time they engage in data collection. The policy must be presented using clear and plain language, in a transparent, concise form that is easy to understand and access. This is of special emphasis for any information for consumption by children or concerning their personal data.

 

Data security steps

  • Assess your data processing activities and improve protection

A data protection impact assessment helps identify and determine how to mitigate risks to data privacy and security. Organizations are required by the GDPR to carry out this kind of analysis anytime they plan to use personal data in ways that are “likely to result in a high risk to [user] rights and freedoms.” It is a best practice to conduct a data protection impact assessment anytime the entity processes personal data, and all organizations should know when they must conduct such analysis, and put in place a process for carrying it out.

When starting new projects or developing new products, organizations must follow the principle of data protection by design and by default. This means implementing data security best practices to limit exposure to personal data breaches.

All personal data processing must adhere to the Article 5 GDPR principles which require that entities use appropriate organizational safeguards and technical measures to protect data. Technical measures include end-to-end encryption, and organizational measures include tactics such as deleting data that is no longer needed and limiting the amount of personal data collected in the first place.

Whenever feasible, encrypt, anonymize, or pseudonymize personal data. Most productivity tools businesses use today including GDPR compliant cloud storage, email, notes, and messaging are now available with built in end-to-end encryption, an essential part of the GDPR compliance toolkit.

Despite strong technical security, operational security may remain a weak point. To ensure it isn’t and team members are knowledgeable about data security, create a security policy that includes guidance about device encryption, email security, two-factor authentication, passwords, and VPNs. Both non-technical employees and employees with access to personal data should receive extra training in GDPR compliance requirements.

 

Accountability and governance steps

  • Ensure data processing agreements with vendors are in place

A data controller will be held accountable in part for any third-party clients who violate obligations under the GDPR. Therefore, a data processing agreement that establishes each party’s rights and responsibilities is critical. Third parties for the purposes of this discussion include cloud storage providers, email or messaging vendors, and all subcontractors that handle personal data. A sample data processing agreement template can be found in the link. Use only reliable third parties that can provide sufficient data protection guarantees.

  • Appoint a Data Protection Officer (DPO) or other responsible party for GDPR compliance

Many organizations are required by the GDPR to designate a DPO, particularly larger ones. The GDPR specifies certain, but not all, of the characteristics, duties and qualifications of this management-level role (see above). Generally, the DPO is empowered to evaluate the substance and implementation of all organizational data protection policies. The DPO is a data protection expert who is tasked with assessing data protection risks, advising on data protection impact assessments, monitoring GDPR compliance, and cooperating with regulators.

  • Designate a representative in the EU

Article 27 specifies which non-EU organizations must appoint a EU member state based representative. Recital 80 clarifies the role of that representative in more detail.

If your organization engages in data processing relating to people in a specific member state, appoint a local representative who can communicate on your behalf with that country’s data protection authorities. In situations where data processing affects individuals across multiple EU states, the GDPR and its official supporting documents do not provide specific guidance. Designating a representative in a member state that shares your language or some other organizational affinity may make the GDPR compliance process simpler.

  • Know how to proceed in case of a data breach

Articles 33 and 34 set forth the duties of organizations in the event of a breach or hack that exposes personal data. The use of strong encryption can reduce an organization’s notification obligations and mitigate exposure to GDPR non-compliance fines in the event of a personal data breach.

All organizations should have a notification process in place to alert both data subjects and the authorities in the event of a data breach. If personal data is exposed after a breach, notification of the supervisory authority in the organization’s jurisdiction must take place within 72 hours.

The GDPR does not specify who organizations not based in the EU should notify. Those in non-EU countries that speak English may find it simplest to notify Ireland’s Office of the Data Protection Commissioner. The requirement to notify data subjects of personal data breaches stands unless the breach is unlikely to put users at risk—for example, if the organization uses strong encryption and stolen data is worthless or unusable to hackers.

  • Comply with applicable cross-border transfer laws

GDPR Article 45 retains tough requirements for organizations wishing to transfer personal data to non-EU countries. This step may require entities to self-certify under the Privacy Shield Framework.

 

Privacy rights steps

Ensure it is easy for users to request and acquire all of their personal data from the organization. Data subjects have the right to see the personal data entities have, how they are using that data, how long it will be stored, and the reasons for keeping it. The first copy of this information must be provided to users free of charge. Subsequent copies should be provided but can at a reasonable cost. Verify the requestor’s identity and comply with all requests within one month, under Article 16.

It must be simple for users to update or correct incomplete or inaccurate information. Under Article 15 organizations should implement a data quality process to keep data up to date, and ensure it is easy for data subjects to view and update personal data for completeness and accuracy.

Make it easy for users to request deletion of their personal data. Data subjects have the right to request the deletion of personal data, and organizations must honor those requests within about one month. There are five bases upon which such a request may be denied, such as compliance with a legal obligation or the exercise of freedom of speech.

It must be simple for data subjects to request that data processing stop. Users must be able to request to restrict or end data processing under some conditions, such as when there is a dispute about the accuracy of the data or the lawfulness of the processing. This request too must be honored within about a month. Organizations may continue to store data while processing is restricted, but must notify the data subject before processing data begins again.

It should be simple for data subjects to request and receive a copy of their personal data. The copy must be in a format that is transferred easily to another organization, in a commonly readable format, and should be transferred either directly to the user or to a third party they designate—even a competitor. The data is theirs to turn over, and they own it, not the organization, from a privacy standpoint.

Make it easy for users to object to data processing. If they do object to data processing for direct marketing use, the organization must immediately stop. Otherwise, the objection may be challenged if the organization can demonstrate other compelling legitimate grounds.

If an organization uses automated processes to make decisions about people, it must also implement a procedure to protect their freedoms, rights, and other legitimate interests. In other words, it must be easy for data subjects to weigh in on decisions, to request human intervention, and to challenge existing decisions.

Taking these precautions and undertaking other general steps for GDPR compliance can help avoid the scrutiny of regulatory authorities.

Why is GDPR Compliance Important?

GDPR compliance is important because it protects the rights of data subjects in the EU and clarifies how organizations that engage in data processing with personal information must safeguard those rights. All organizations and businesses that work with the personal data of people in the EU in any way must comply or risk serious GDPR non-compliance penalties.

Just as critically, whether they are large enterprises or small businesses, organizations that process personally identifiable data can and should implement GDPR principles to ensure a more secure user environment. A safe data environment is more conducive to successful, sustainable business operations, and this drives home the added importance of GDPR compliance.

What is GDPR Compliance Software?

Using GDPR compliance software is among the most straightforward and accessible paths to meeting the requirements set forth in the GDPR. GDPR software is a critical piece of GDPR compliance automation that assists organizations in managing consent forms, customer data, and data security. Some forms of GDPR compliance software also allow data subjects to edit their personal data that the organization stores or processes.

CCPA vs GDPR?

Although there is some shared ground between the GDPR and the California Consumer Privacy Act (CCPA), they are not the same. The two regulations have a similar goal: the protection of the right to privacy of consumers. However, these laws often differ in who they affect and what they require.

The GDPR impacts any organization that offers goods or services to or monitors the behavior of EU subjects whether they are inside or outside the EU. In contrast, the scope of the CCPA is more limited, affecting some organizations that have customers who are California residents, that do business with a California company, or that collect any personal data of California residents for any purpose—whether they are inside or outside of California. To fall under the CCPA, companies must handle the personal data of over 50,000 consumers for commercial purposes, have gross revenue greater than $25M, or derive at least 50 percent of annual revenues from selling the personal data of consumers.

While the GDPR requires most organizations outside the EU to designate a representative inside a member state, there is no such requirement for a California representative under the CCPA.

Penalties under the regulations also differ, with GDPR compliance fines tending to be extraordinarily costly. CCPA penalties can be either civil—where intent was not present—or intentional. Civil violations cost $2,500 each, while intentional violations run $7,500 each after both notice and a window of 30 days to remedy the violation.

Unlike the GDPR, the CCPA does not define or require technical or organizational security measures. However, in the event of a data breach, the CCPA provides a legal right of action for consumers.

Opt-out rights are an additional differentiation point between the GDPR and the CCPA. The GDPR does not create a right to opt-out of personal data sales. Instead, it creates a right in consumers to withdraw consent to process personal data and to opt-out of processing data for marketing purposes. The CCPA does create a consumer right to opt-out of the sale of personal data which organizations must make clearly visible. The organization must ask to sell a user’s personal information, and if a user requests that the organization does not sell that information, there cannot be another request for 12 months.

The GDPR gives data subjects the right to request that an organization corrects or completes incorrect or incomplete personal data. The CCPA does not create a right to rectification.

Finally, the age of consent for the GDPR is 16, and for data subjects under 16, parental consent is required. Extra security measures to protect the data of children are also required. The CCPA age of consent is 13, and for children under 16, parental consent is required. The Children’s Online Privacy Protection Act (COPPA), a federal law directed at website operators and administered by the FTC, still applies in the US.

What’s the Cost of GDPR Compliance?

Organizations that are concerned about the costs of implementing and maintaining GDPR compliance should note that those costs are much lower than the potential consequences of GDPR non-compliance. That said, the GDPR compliance price tag varies and, as many costs are ongoing, operational expenses, they are not insignificant.

In general, organizations incur GDPR compliance costs in several areas:

  • Hiring and paying a DPO
  • Maintaining an inventory or record of processing activities
  • Conducting a gap assessment
  • Developing, adjusting, and maintaining policies and procedures
  • Modification of existing processes, creation of new processes
  • Employee training
  • Monitoring compliance
  • Additional legal costs

According to a report from DataGrail, the majority of companies—79 percent—spend at least $100,000 on GDPR and CCPA compliance. However, much of that cost originates from building out regulatory solutions on a case-by-case basis, even though those solutions are unlikely to scale with expanding regulations. Read our cloud compliance case study examples to learn how Shujinko’s compliance automation can help your organization reduce the cost of, simplify and modernize IT audit preparation across security compliance standards like SOC 2, PCI DSS, ISO 27001 and more.

As organizations attempt to achieve GDPR compliance with additional human resources, they take on additional risks and costs associated with manual compliance management, not to mention human error. The result is compounding, growing compliance costs.

Investing in GDPR compliance automation solutions that eliminate manual processes and integrate across third-party services and business systems is one cost-saving approach. GDPR software is one example of this type of solution because it reduces the costs of monitoring compliance and manual employee labor.

Does Shujinko Offer a GDPR Compliance Software Solution?

Yes. Shujinko’s AuditX™ SaaS platform translates complex standards requirements like those set forth by the GDPR into easily understandable tasks resulting in simple, organized, faster audits.

The AuditX platform is designed to support a broad range of standards frameworks including GDPR, CCPA, HIPAA, HITRUST, FedRAMP, and custom controls as well as NIST CSF, PCI DSS, ISO 27001, and SOC 2 (Type I and II).

AuditX systematically automates evidence collection, guides users through the audit preparation process, and tracks overall audit readiness and progress to ensure critical deadlines are met. Customers can achieve compliance 3x faster with this GDPR audit tool, freeing up scarce engineering resources to focus on critical business priorities.

With the “push of a button”, the extensible software automation engine crawls and collects key evidence for security and compliance audits directly from AWS, Azure, and GCP cloud infrastructure. The results come to you in organized, formatted, auditor-ready .pdf reports.

The automated evidence collection engine architecture is designed to be extensible across API-accessible services, clouds, and third party systems. It is scalable, rapidly processing extremely large jobs, and robust for large complex enterprise environments.

Learn more about how AuditX can help you automate GDPR audit preparation and achieve GDPR compliance.

Automate Audit Preparation

Get ahead of your upcoming audit deadlines and compliance initiatives. Ditch the shared spreadsheets, back and forth email, and unclear evidence requests. Start working with Shujinko’s AuditX tool to simplify, automate, and modernize audit preparation for your cloud-first enterprise.