The Essential Guide to Data Privacy Compliance

Customers may trust you with their data, but regulators expect you to prove you deserve it. Legislation from the European Union’s General Data Protection Regulation (GDPR) to California’s Consumer Privacy Act (CCPA) and the US Health Insurance Portability and Accountability Act (HIPAA) is designed to facilitate the use and sharing of data. It also penalizes the misuse and breach of personal data.

Businesses are increasingly being seen as stewards or custodians of their customers’ data. Failure to meet their obligations could result in hefty fines – up to €20 million or 4% of annual turnover under the GDPR – reputational damage and loss of customer trust. Yet opportunities and risks exist in the same future.

Empowering customers to derive more value from their own data lies at the heart of the GDPR. This is similar to other EU legislation, such as the revised Payment Services Directive (PSD2), on access to bank data. Businesses can turn privacy and data protection into a basis for innovation, enhanced customer trust and loyalty, operational efficiency, competitive advantage, and more.

This guide summarizes the essentials of data privacy compliance, helping you stay informed and prepared to protect your customers, your business, and your bottom line.

What Is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation, or GDPR for short, is European data privacy legislation that came into effect on 25 May 2018. It gives individuals in the EU/EEA (European Economic Area) rights over how their personal information is used. It explains what businesses worldwide must do when processing personal data of EU/EEA citizens. The regulation applies across EU member states under the ‘one-stop-shop’ principle, where pan-EU businesses have a lead regulator to give guidance.

Where Did the GDPR Come From?

The GDPR updated and strengthened existing EU data protection legislation, namely the Data Protection Directive 1995 and the UK’s Data Protection Act 1998.

An EU ‘regulation’ is a binding legislative act to be applied in its entirety across the EU. A regulation carries more weight and offers less flexibility in implementation than a ‘directive’, which sets out a goal to be achieved. Individual EU member states then devise their own laws to reach these goals.

The GDPR builds on existing principles, namely that privacy is a fundamental human right, enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8), and the European Charter of Fundamental Rights (Article 7). 

There are parallels with other countries, such as the US, where privacy has often been regarded as an element of liberty and the right to be free from state intrusions.

What Are the Principles of the GDPR?

The principles of the GDPR are outlined at the beginning and explain the foundation or ‘spirit’ of the legislation. Compliance with both the letter and the spirit of the law is the cornerstone of good data protection practice. Article 5 outlines seven data protection principles:

1. Lawfulness, fairness, and transparency – Personal data must be processed lawfully, fairly, and in a transparent manner to the individual

2. Purpose limitation – Personal data must be processed in accordance with the explicit and legitimate purposes specified to the individual on collection

3. Data minimization – Personal data must be processed in an adequate, relevant, and limited to what is necessary in relation to the purposes for which the data is processed.

4. Accuracy – Personal data processed must be accurate and kept up to date, where necessary

5. Storage limitation – Personal data must only be stored for as long as necessary for the specified purpose

6. Integrity and confidentiality (security) – Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage 

7. Accountability – Businesses processing personal data are responsible for and must be able to demonstrate compliance with the principles above

What Are the Key Rights for Individuals Contained in the GDPR?

The GDPR sets out various rights and responsibilities related to the processing and free movement of personal data. ‘Personal data’ is basically information relating to an individual who can be identified either directly or indirectly. 

Names, addresses, and social security numbers are clearly personal data. But so too is data related to gender, biometrics, health, political beliefs, and even online browsing habits, if the individual can be uniquely identified.

Individuals have certain key rights under the GDPR as follows:

1. Right to be informed – Individuals must be informed of how their personal data is collected and used.

2. Right to object – Individuals may object to the processing of their personal data in certain circumstances.

3. Right of access – Individuals may request a copy of the personal data and any supplementary information that the business holds about them.

4. Right to rectification – Individuals may ask for inaccurate personal data to be corrected or completed if it is incomplete.

5. Right to be forgotten – Individuals may request that businesses delete personal data, sometimes also known as the ‘right to erasure’.

6. Right to restrict processing – Individuals have the right to request the restriction or suppression of their personal data.

7. Right to data portability – Individuals may request that a business transfer their personal data to a commonly used format so they can easily share it.

8. Rights related to automated processing – Decisions affecting individuals cannot be made solely on the basis of automated processing, unless required by law or contract.

To What Extent Does the GDPR Apply in Jurisdictions Outside the EU?

The GDPR applies to businesses established in the EU/EEA, regardless of where the data processing takes place. However, as it’s extra-territorial in scope, the GDPR also applies to businesses outside the EU/EEA, if they process personal data of individuals in the EU/EEA. That includes where the processing activities relate to:

• Offering goods or services to data subjects in the EU/EEA, even if no payment takes place

• Monitoring the (online) behavior of data subjects in the EU/EEA

How Does the GDPR Apply to Small Businesses vs. Large Businesses?

The core principles of the GDPR apply to all businesses irrespective of size. However, small businesses with fewer than 250 employees may be exempt from record-keeping requirements detailed in Article 30, under certain circumstances.

How small businesses administer compliance with the GDPR may also differ to large companies. For example, whether they appoint a dedicated data protection officer (DPO) and whether they draw on internal legal and compliance resources. But this is less about business size and more about the nature and amount of personal data they process.

What’s the Impact of the GDPR on Businesses?

The GDPR brings both obligations and opportunities. The main ones include:

Fines and sanctions 

Serious breaches of the GDPR could result in businesses being fined up to €20 million or 4% of annual turnover, whichever is higher. Less serious violations may result in fines of up to €10 million or 2% of the company's annual turnover, whichever is higher.

Accountability

Businesses are required to not only comply with the GDPR but also demonstrate their compliance, including:

• Maintaining records of data processing activities (e.g., what personal data you collect, where it’s stored, how it’s used, and who has access to it)

• Implementing data protection by design and by default

• Conducting data protection/privacy impact assessments (DPIA) for high-risk data processing 

• Monitoring appropriateness of accountability measures over time

Data security

The ‘security principle’ of the GDPR stipulates that businesses must take “appropriate technical and organizational measures” to process personal data securely. 

Businesses must consider risk analysis, organizational policies, and physical and technical measures to determine what is necessary and proportionate to the risks of processing data and their circumstances.

Data security measures should ensure the confidentiality, integrity, availability, and resilience of systems and services, as well as the personal data processed within them, for example, through pseudonymization and encryption.

Businesses must be able to restore access to and availability of personal data promptly in the event of a physical or technical incident. And have appropriate processes in place to test the effectiveness of their measures and improve them as necessary.

Consent

Consent must be freely given, specific, informed, and unambiguous. Requests for consent must be made in clear and plain language, unbundled from other matters, and require positive action to opt in.

Trust as the ‘killer app’

Trust is the guiding thought in privacy and data protection. Demonstrating strong data protection not only builds credibility with customers but also with partners, investors, regulators, and others.

Customers are more likely to share information with businesses they perceive as responsible and trustworthy. This, in turn, enables companies to unlock more value from data, benefiting both customers and themselves.

Mapping and streamlining data flows often reveals redundancies and inefficiencies. Meanwhile, effective data governance practices also enhance organizational information management, leading to greater operational efficiencies.

What’s the future of the GDPR?

Nearly seven years after it took effect, initiatives are underway to simplify GDPR rules. This aims to ease compliance burdens for small and medium-sized businesses, expedite cross-border investigations, and enhance cooperation between national data protection authorities (DPAs).

Work is also underway to clarify the interplay between the GDPR and the Digital Services Act (DSA). The latter aims to complement the GDPR, ensuring the highest level of data privacy protection in the digital space.

How Does Jscrambler Help Ensure Data Privacy Compliance?

The GDPR was designed to safeguard personal data, but there’s a blind spot that many businesses are missing. Specifically, the hidden risks of third-party scripts used to enhance customer experiences, such as chatbots and online checkout pages.

These scripts can access forms and data outside their intended business purpose, which was one of the areas designed to be prevented. Malicious actors can also view and manipulate third-party scripts to gain access to highly confidential information, including intellectual property (IP) and customers’ personally identifiable information (PII), credit card data, and more. 

Businesses must protect their clients’ information from unlawful data collection by third-party pixels and tags. That’s all, while keeping their websites compliant with PCI DSS v4, GDPR, CCPA, NIST, OWASP, and HIPAA privacy regulations.

The Jscrambler platform provides fine-grained control over how third-party tags can behave and what data they can access, enhancing application resilience. Connect with our experts to try our solutions to ensure data privacy compliance.