GDPR Requirement Compliance in 2022: The Ultimate Guide

Quick Hits:

• The European Union’s General Data Protection Regulation (GDPR) is a strict privacy and security law passed to protect the personal data of  EU countries.
• Since the UK’s exit from the EU in 2021, the UK is no longer under the protection of GDPR, instead using regulations known as the UK GDPR.
• Any organization that processes, stores, or transmits EU citizens’ personally identifiable information (PII) must adhere to GDPR standards.
• Compliance can be made easier with tokenization, which protects sensitive data by removing it from internal systems and replacing it with tokens for functionality. 

When GDPR was rolled out in May 2018, the law fundamentally changed the privacy landscape. After extensive outcry over violations of customer privacy, the EU created GDPR to protect the privacy of consumers across Europe.

In the past four years, GDPR has both sparked public awareness about how data is used and imposed severe fines for companies that haven’t fallen in line. In a short time, GDPR has revolutionized privacy law and set itself as the standard against which other privacy laws are compared.

In this blog, we’ll look at a quick overview of GDPR, and an important change to GDPR for 2022, before breaking into a detailed overview of GDPR and helpful compliance tools. 

An Introduction to Compliance: What is GDPR?

According to a Global Alliance of Data-Driven Marketing Associations study, 92 percent of organizations store customer and prospect data in databases, so virtually every company is potentially subject to GDPR requirements. In reality, everyone and everything that touches the personal data of EU citizens needs to handle it in adherence to the standards laid out in the GDPR.

Customer relationship management (CRM) systems and other sales and marketing platforms are great tools for improving interactions with customers and helping advance prospects along the sales pipeline. But because these systems ingest sensitive data to perform their tasks, they’re also breeding grounds for possible violations of the European Union’s General Data Protection Regulation (GDPR). The massive volumes of personal data processed, stored, and transmitted by a CRM can be difficult to track and contain, so close monitoring and diligent security measures are required to ensure the customer data you collect via a CRM is protected in compliance with relevant regulatory obligations. 

However, despite the daunting amount of information retained by CRM platforms, they can actually be an aid, not a hindrance to GDPR regulations compliance if their processes for data collection, storage, and access are customizable. For example, popular inbound sales and marketing platform HubSpot offers functionality and resources to support GDPR CRM compliance practices, ensuring all the system’s methods for gathering and retaining data abide by GDPR principles.

Ultimately, we recommend leaning on the expertise of your organization’s legal team and other compliance specialists to ensure you’re meeting the requirements of GDPR compliance. But to get you headed in the right direction, here’s an overview of recent changes to GDPR scope along with an overview of the tenets you need to know to achieve compliance. 

Important changes to GDPR in 2022 

The biggest change to GDPR in 2022 had nothing to do with the law itself, but rather the UK’s exit from the EU. The UK left the EU on December 31, 2021, which meant that by the start of 2022 the UK no longer fell under the regulations of GDPR. 

The UK now falls under its own privacy regulation, the UK-GDPR, which took effect in January of 2020. The UK is also now considered a third country within GDPR, which will mainly affect the requirements for data transfers between EU countries and the UK.  

The UK must still follow GDPR, just like every other country outside of the EU. For companies that hold UK information, you’ll need to check UK GDPR for the resulting changes in requirements.

UK GDPR vs EU GDPR 

UK GDPR and EU GDPR are very closely related, with the UK adopting most EU measures to fit UK law. UK citizens still retain the same rights over their data as they were given with GDPR. Most deviations between the two stem from changes to immigration, intelligence, and national security law. Additionally, the supervisor and enforcer of GDPR has changed from the European Board to the Information Commissioner.  

Though changes are not massive, they are still important to review. Even smaller changes, like the age of consent changing from 16 under EU-GDPR to 13 under UK-GDPR, could land your business in hot water. 

GDPR Overview

Geographical Scope 

One of the most significant aspects of the GDPR is its global reach. Any organization regardless of its geographical location that processes, stores, or transmits personally identifiable information (PII) must adhere to the GDPR’s standards if it is collecting the data of EU citizens. As a result, maintaining compliance and security everywhere an organization operates is paramount, but most companies do not have the resources necessary for constant global protection, detection, and incident response for the sensitive data they process. This is where security providers can fill the gap in an organization’s defenses, and technologies such as tokenization can help simplify the compliance process.

Penalties

An organization found to be willfully or intentionally in violation of the GDPR is subject to administrative penalties of 4 percent of annual turnover or €20 million, whichever is greater. Accidental infractions or negligence of the data protection mechanisms in the GDPR can result in penalties of greater than 2 percent of annual turnover or €10 million. However, these fines do not include the cost of litigation, customer loss, systems changes, and other related fallout for failing to protect sensitive data.

For example, Marriott was fined more than $100 million after hackers exposed hundreds of millions of its guest records, and British Airways was fined a record $230 million for similar violations. But the projected losses for these companies based on compromised consumer trust and other difficult-to-quantify factors are much greater. Only time will tell the true cost of noncompliance.

Consent

The consent of data subjects for processing their data is not required in every case, but it is strongly encouraged if an organization might not otherwise have a compelling or legitimate legal reason for retaining that data. When providing an agreement for consent, organizations are no longer allowed to use complicated, obscure, or other difficult-to-understand terms and conditions to gain consent for data processing. In other words, the individual granting consent must be able to clearly understand the terms of the agreement and must be given an opportunity to refuse or acquiesce.

Breach Notification Policy

Organizations are required to report a data breach to a supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to put the rights and freedoms of the affected individuals at risk, those individuals must also be informed without undue delay. As part of any breach notification process, business continuity and disaster recovery are the top priorities. Security providers are especially helpful when responding to and recovering from a data breach. For example, if the personal data compromised in a breach has been deidentified using tokenization, an organization may not be obligated to notify the associated individuals.

Right to Access & Right to be Forgotten

Individuals have the right to obtain confirmation from the data controller as to whether their personal data is being processed, where it is being processed, and for what purpose it is being processed. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. Data subjects also can request that the controller erase and cease further dissemination of his or her personal data. This is also known as the right to erasure.

Privacy/Data Protection by Design and Default

Article 25 of the GDPR obligates organizations to consider data protection by design and by default. This concept requires data security to be built into the design of systems, as opposed to tacked onto existing processes and infrastructure. It also means that controllers are to hold and process only the data necessary to fulfill whatever need the data was collected for in the first place and to limit the access to customer data to the proper personnel. This practice is known as data minimization.

Key Terms of GDPR Compliance

Personal Data

Personal data is an often confused term. It’s used broadly to refer to all types of sensitive data, but within the context of the GDPR, it’s defined as any information “related to an identified or identifiable natural person.” The natural person portion is particularly important in how it relates to another key term, the data subject. In order for data to be considered personal data—and as a result, protected by the GDPR—it needs to be associated with a data subject, or “an identifiable natural person.”

Data Subject

The full definition of a data subject according to Article 4.1 of the GDPR is “an identifiable natural person … who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person….” Simply put, data subjects are people whose personal data can be used to identify them. Understanding this can help you determine which elements of stored data are subject to the GDPR.

Data Controller

Any organization or entity that collects the personal data of EU citizens is a data controller. The controller is responsible for obtaining consent and complying with the requests of the data subject in the event that the data subject opts out of an agreement or asks that its data be deleted—even if the data in question is in the possession of a data processor.

Data Processor

A data processor is any organization or entity that handles the personal data collected by the data controller. Although the controller is responsible for managing consent and other communications with data subjects, processors still can be penalized for noncompliance. They also face additional requirements specific to their roles as processors of the original data. 

Deidentification (Pseudonymization)

According to Article 4(5) of the GDPR, pseudonymization is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” The GDPR specifically mentions pseudonymization as an appropriate method for deidentifying data. In fact, Recital 29 mentions incentives for organizations to apply pseudonymization, and Articles 25 and 32 specifically call out pseudonymization as an appropriate technical measure for protecting personal data.

How Tokenization Can Help With GDPR Compliance

When implemented properly, security technologies such as tokenization can play a significant role in protecting sensitive data sets to meet the requirements of GDPR compliance. Because tokenization removes sensitive data from internal systems, securely stores it, and then returns a nonsensitive placeholder to organizations for business use, it can virtually eliminate the risk of data theft in the event of a breach. This makes tokenization a particularly useful tool for risk reduction and compliance. 

Tokenization not only secures sensitive data, but it also devalues it. In other words, it desensitizes the data via the process of pseudonymization, which we mentioned previously as an effective compliance strategy. Additionally, tokenization can help organizations fulfill certain measures of GDPR compliance and requests from data subjects. With the right security controls in place, protected data can be temporarily detokenized when the information is required for processing or is requested by the data subject. In the event that an individual requests to be forgotten, an organization can simply delete the token on the tokenization provider’s system to comply with that request.

Yet another benefit of tokenization is that in the event of a data breach, an organization may not have to notify the affected individuals. If a threat actor infiltrates your environment, tokens—not personal data—are the only information that could be stolen. In effect, no data breach has actually occurred; therefore, there’s no need to issue a breach notification

As we mentioned earlier, though, the best compliance tip we can give you is to follow the advice and expertise of your organization’s legal and security teams. This blog is meant to be a primer—not a comprehensive, exhaustive guidance

One more important thing to keep in mind: Don’t get caught up in the GDPR compliance struggle. Instead of focusing too much on individual controls or determining how to achieve minimum compliance, take a data-centric approach that prioritizes security and risk reduction. If those concerns are satisfied sufficiently, compliance virtually takes care of itself.