What is GDPR and how does it affect software companies? - IT Labs (2023)

Maja Lazarovska

Prospecting Manager at IT Labs

The General Data Protection Regulation (GDPR) is an EU data privacy law that went into effect on May 25, 2018. It’s designed to give individuals more control over how their data is collected, used, and protected online. It also binds organizations to strict new rules about using and securing personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection.

What is GDPR and how does it affect software companies? - IT Labs (1)

Application

Whom does the data protection law apply to?

The GDPR applies to:

  1. A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. A company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behavior of individuals in the EU.

The law does not apply if the company is a service provider based outside the EU, or provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided that the company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

(Video) GDPR: What Is It and How Might It Affect You?

The protection offered by GDPR travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country which is not a member of the EU.

The rules only apply to personal data about individuals; they don’t govern data about companies or any other legal entities.

Does GDPR Apply to the US?

GDPR applies in the US, following the points described above – if the company offers goods or services to EU/EEA residents or if the company monitors the behavior of users inside the EU/EEA.

Moreover, if a data subject from the EU living in the US would fall under the GDPR should their personal data be processed by an EU established data controllers (an entity that makes decisions about processing activities) or data processors (the ones that process personal data on behalf of the controller). Conversely, a data subject from the EU living in the US would not fall under the GDPR should their personal data be processed by a purely US established data controllers or data processors.

Small and medium-sized enterprises

The rules apply to SME, but with exceptions. Companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.

(Video) GDPR explained: How the new data protection act could change your life

Similarly, SMEs will only have to appoint a Data Protection Officer (DPO) if the processing is their main business, and it poses specific threats to the individuals’ rights and freedoms. This includes monitoring of individuals or processing of sensitive data, or criminal records, specially if it’s done on a large scale.

Principles

Key rules about data processing and conditions:

  • Lawfulness, fairness, and transparency: personal data must be processed lawfully and transparently, ensuring fairness towards the individuals whose personal data is being processed. When data is obtained from another secondary company/organization, the primary company should provide the information (who, why, how long, etc.) to the person concerned at the latest, within one month after your company obtained the personal data;
  • Purpose limitation: there must be specific purposes for processing the data, and the company must indicate those purposes to individuals when collecting their data, the company should explain in clear and plain language why they need it, how they’ll be using it, and how long they intend to keep it;
  • Data minimization: the company must collect and process only the personal data that is necessary to fulfill that purpose. IT must be adequate, relevant, and within a limited scope of use;
  • Accuracy: the company must ensure personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not;
  • Compatibility: the company can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
  • Storage limitation: the company must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected. The company should establish time limits to erase or review the data stored;
  • Integrity and confidentiality: the company must install appropriate technical and organizational safeguards that ensure the security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technology.

What is GDPR and how does it affect software companies? - IT Labs (2)Legal grounds for processing data

If consent is withdrawn, the company can no longer process the data. Once it has been withdrawn, the company needs to ensure that the data is deleted unless it can be processed on another legal ground (for example, storage requirements or as far as it is a necessity to fulfill the contract).

Obligations

Data controller and data processor

The data controller determines the purposes for which, and the means, by which personal data is processed. So, these are companies that decide ‘why’ and ‘how’ the personal data should be handled.

The company is considered as a joint controller, when together with one or more organizations, it jointly determines ‘why’ and ‘how’ personal data should be processed.

(Video) What Does GDPR Compliance Mean for Businesses?

The data processor is usually a third party external company. The data processor processes personal data only on behalf of the controller. The duties of the processor towards the controller must be specified in a contract or another legal act.

What is GDPR and how does it affect software companies? - IT Labs (3)

Data breach

If a breach occurs, the company has to notify the supervisory authority without undue delay and at the latest within 72 hours after having become aware of the breach. If the company is a data processor, it must notify every data breach to the data controller.

Demonstrating GDPR compliance

It can be a Code of Conduct prepared by a business association that has been approved by a Data Protection Authorities (DPA). A Code of Conduct may be given EU-wide validity through an implementing act of the Commission.

It can be a certification mechanism operated by one of the certification bodies that have received accreditation from a DPA or a national accreditation body or both, as decided in each EU Member State.

GDPR and software development

Every new piece of software should be fully GDPR compliant. GDPR requires companies to safeguard their users’ data and protect their privacy rights. Companies that handle personal data of European users must build their systems and processes with data protection by design and by default. Proper security measures must be taken like firewalls, encryption, data backup, etc.

(Video) Understanding GDPR Part 2

When a company decides to outsource some of its functions, it remains responsible for the personal data transferred to the outsourcing vendor. The only way for a company to avoid GDPR liability is to ensure that it cannot access any personally identifiable data under any circumstances, which is often impossible in practice.

In other words, the GDPR places a huge emphasis on documentation and transparency. Companies must be able to clearly describe what data they are collecting, for what purpose, for how long, and who can access them, among other things. It’s important to share relevant documents, in order to be able to prove that the necessary steps for GDPR are taken.

While the GDPR doesn’t require companies that collect data from EU citizens to provide their users with automated, real-time tools for data management, it’s in every company’s best interest to do so. Without automated data management capabilities, each data-related request would have to be followed by a lengthy identity verification process to prevent data breaches.

Key requirements

  • Pseudonymization by Default: Pseudonyms must be created for each individual, and data about the person’s identity should be stored in an area that is fully partitioned and separate from other user data. Such as information on the individual’s account within an app or software platform.
  • The Right to Be Forgotten: Every EU citizen has “the right to be forgotten,” meaning that, upon request, companies are required to discard any and all personal data related to a particular individual. Therefore, the software or database should include tools that let you isolate and delete personal data as needed.
  • The Right to Be Portable: Under this requirement, users must retain the ability to transfer their personal data from one service provider to another service provider. The company needs to configure the software, so it allows users to do so.
  • Mandatory Data Breach Reporting: If there is a data breach, the company is required to inform users and law enforcement within 72 hours. This means the company must detect a data breach in a very short order. When developing software or a mobile app, it’s generally best to maximize security measures and include a security breach detection and reporting tool that can send notifications to the tech team.
  • Privacy by Design: GDPR requires privacy by default, meaning that the software, mobile app, or website must, by default, provide users with the highest level of security and privacy. For instance, instead of automatically using a person’s name or email address as their username, the software should offer up a totally random username during the account creation process.
  • Informed Consent: Users must be allowed to provide informed consent for the collection and processing of their data. This is why so many privacy-related disclaimer panels have popped up on websites, software platforms, and mobile apps in recent months. Another example of informed consent applies to tickboxes when registering for an account. In most cases, tick boxes should not be ticked by default; the user must tick them manually.

Compliance checklists

  • What information do I really need?
  • Why am I saving it?
  • Why am I archiving this information instead of just erasing it?
  • What am I trying to achieve by collecting all of this personal information?

Dealing with citizens

  • Individuals may contact the company to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.).
  • The company must reply to their request without undue delay, and in principle, within one month of receipt of the request.
  • Dealing with requests of individuals should be carried out free of charge.
  • The company must provide the individual with a copy of their personal data free of charge.
  • The GDPR gives individuals the right to ask for their data to be deleted and organizations do have an obligation to do so, except if the data is needed to exercise the right of freedom of expression, the company has a legal obligation to keep it, or it keeps it for reasons of public interest;
  • Individuals have the right to object to the processing of personal data for specific reasons. Whether such a particular situation exists must be examined on a case-by-case basis.
  • Individuals have the right to data portability, which is to receive from the company the personal data they provided in a structured, machine-readable format, and have it transmitted to another company/organization.
  • Individuals should not be subject to a decision that is based solely on automated processing (such as algorithms), and that is legally binding or which significantly affects them.

Enforcement and sanctions

The company does not need to notify the DPA (Data Protection Authority) that it processes data. However, prior consultation with the DPA is required when a DPIA indicates that the processing of the data would pose a high risk, and residual risks remain despite the implementation of several safeguards. Your company/organization would also need to contact the DPA in the case of a data breach.

In case of non-compliance with the data protection rules infringement: the possibilities include a reprimand, a temporary or definitive ban on processing, and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.

(Video) GDPR, explained

References

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations
https://gdpr.eu/companies-outside-of-europe/?cn-reloaded=1
https://brainhub.eu/blog/gdpr-secure-software-development-practices/
https://seventablets.com/blog/how-to-ensure-gdpr-compliance-for-software-development-projects/
https://www.datatilsynet.no/en/about-privacy/virksomhetenes-plikter/innebygd-personvern/data-protection-by-design-and-by-default/?print=true

Maja Lazarovska

Prospecting Manager at IT Labs

FAQs

How does GDPR affect a company? ›

GDPR has changed a lot of things for companies such as the way your sales teams prospect or the way that marketing activities are managed. Companies have had to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices.

What is GDPR and how will it affect you? ›

Put simply, GDPR (general data protection regulation) is a new set of rules to give people more control over their personal data. In today's world, almost every aspect of our lives resolves around data. Think about banks, shops, social media, even getting your hair done – we share personal data in most transactions.

What is GDPR and why is it important? ›

The General Data Protection Regulation or the GDPR is a European Union legal instrument ensuring the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Does GDPR apply to software? ›

Business owners and developers must keep the GDPR in mind when implementing or designing software that may be used to process the personal information of EU residents.

Does GDPR protect company data? ›

Answer. No, the rules only apply to personal data about individuals, they don't govern data about companies or any other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person.

Why is GDPR important in the workplace? ›

The GDPR gives people rights to access information held about them. In addition, there are obligations for better data management and a regime of fines.

What are the 7 principles of GDPR? ›

The UK GDPR sets out seven key principles:
  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security)
  • Accountability.

How does GDPR protect? ›

The full GDPR rights for individuals are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling.

What size of company is affected by the new GDPR rules? ›

GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it's a regular activity, concerns sensitive information or the data could threaten individuals' rights.

What is the GDPR in simple terms? ›

What is the GDPR? The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone's personal data safe by requiring companies to have robust processes in place for handling and storing personal information.

Who does the GDPR protect? ›

The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

How do you know if software is GDPR compliance? ›

How to be GDPR compliant?
  1. Consider whether you really need all the data you collect. ...
  2. Encrypt all personal data. ...
  3. Consider HTTPs as an essential part of your application. ...
  4. Get your consent forms in order. ...
  5. Implement granular opt-in. ...
  6. Separate the Terms and Conditions agreement from other consent forms.

What data does GDPR apply to? ›

The UK GDPR applies to the processing of personal data that is: wholly or partly by automated means; or. the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.

How do you comply with GDPR? ›

Take the right approach to GDPR compliance
  1. Access. The first step toward GDPR compliance is to access all your data sources. ...
  2. Identify. Once you've got access to all the data sources, the next step is to inspect them to identify what personal data can be found in each. ...
  3. Govern. ...
  4. Protect. ...
  5. Audit.

What are the 8 basic rights of GDPR? ›

Explanation of rights to rectification, erasure, restriction of processing, and portability. Explanation of right to withdraw consent. Explanation of right to complain to the relevant supervisory authority. If data collection is a contractual requirement and any consequences.

What does GDPR require by law? ›

Under GDPR, your organization is obligated to respond to a data subject's request about their personal data. GDPR requirements give consumers (i.e., data subjects) the right to ask companies for information held about them. Within a month's time, companies must be able to fulfill the request.

What is the difference between data protection and GDPR? ›

Whereas the Data Protection Act only pertains to information used to identify an individual or their personal details, GDPR broadens that scope to include online identification markers, location data, genetic information and more.

What does GDPR mean for employers? ›

Under the GDPR, employers are required to provide employees with the legal basis you're relying on for processing their data. This should be in a document such as a privacy notice or employee data protection policy and it needs to be concise, transparent, easily accessible and written in plain language.

What GDPR means for employees? ›

The GDPR aims to give employees (and, of course, other individuals who may be customers, contractors, suppliers etc.) more control over the ways in which businesses process their personal data.

Does GDPR apply to company employees? ›

Do I have employees who are protected by the GDPR? The GDPR applies to any person residing or located in an EU country. Accordingly, if a U.S.-based company is subject to the GDPR and sends one employee to work in Paris, that one employee's personal data is protected by the GDPR.

Which are the 4 basic principles of data privacy? ›

Generally, these principles include: Purpose limitation. Fairness, lawfulness, and transparency. Data minimization.

What are the three 3 general data privacy principles? ›

Principles of Transparency, Legitimate Purpose and Proportionality. The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.

What is GDPR privacy? ›

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live and outside of the European Union (EU).

Can a company share my personal information? ›

With some exceptions, businesses cannot sell your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale of your personal information.

How do I follow GDPR at work? ›

There are 7 key steps you need to follow in order to comply with GDPR.
  1. Appoint a Data Protection Officer (if you need one) ...
  2. Review GDPR. ...
  3. Information audit. ...
  4. Determine your lawful basis for processing data. ...
  5. Implement processes. ...
  6. Establish documentation. ...
  7. Implement training and policies.
3 Mar 2020

What are the major impacts of GDPR? ›

GDPR has effected significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. Further, the risk of incurring and paying out hefty fines has made companies take privacy and security more proactively.

Does every company need a GDPR policy? ›

Does GDPR apply to all businesses? The new rules apply to every business that has customers, employees or clients in the EU.

Do small companies need to comply with GDPR? ›

Despite the breadth of the EU General Data Protection Regulation (GDPR), there is no small business exemption. Companies still need to comply with most of the GDPR even if they have less than 250 employees.

How many GDPR principles are there? ›

The GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

Which companies does GDPR apply to? ›

GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK) as well as any organisation using data that was collected within participating states.

Does GDPR apply to people? ›

Yes, the GDPR does apply to individuals. If you process or collect the data of EU residents, you're required to comply with the GDPR — regardless of whether you're a business, organization, or individual.

What does GDPR not apply to? ›

The GDPR does not apply if: the data subject is dead. the data subject is a legal person.

What are the major impacts of GDPR? ›

GDPR has effected significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. Further, the risk of incurring and paying out hefty fines has made companies take privacy and security more proactively.

How does GDPR affect small businesses? ›

Helps Bigger Companies: The General Data Protection Regulation (GDPR) increases a huge amount of complexity in online business. Every business needs to be compliant regardless of their turnover. Compliance is expensive for the small businesses. Larger businesses find it easier and cheaper to comply with these norms.

Who does GDPR affect? ›

The GDPR applies to: a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or.

What consequences can occur if GDPR is breached? ›

Under GDPR, organisations who fail to comply and/or suffer a data breach could face a fine. In the most serious cases, this fine could be up to 17 million euros, or 4% of a company's annual turnover. This upper limit far exceeds the current maximum fine of £500,000 allowed under the Data Protection Act.

What industries are affected by GDPR? ›

Top 5 industries that are most affected by GDPR
  • 1) Social Media Platforms. Social media marketing is one of the most affected industries by GDPR. ...
  • 2) Financial Services. ...
  • 3) eCommerce. ...
  • 4) Technology Sector. ...
  • 5) Healthcare and Medical.
29 Jun 2020

What size of companies are affected by GDPR? ›

GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it's a regular activity, concerns sensitive information or the data could threaten individuals' rights.

What are the 8 basic rights of GDPR? ›

Explanation of rights to rectification, erasure, restriction of processing, and portability. Explanation of right to withdraw consent. Explanation of right to complain to the relevant supervisory authority. If data collection is a contractual requirement and any consequences.

What does GDPR mean in simple terms? ›

What is the GDPR? The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone's personal data safe by requiring companies to have robust processes in place for handling and storing personal information.

What are the 7 principles of GDPR? ›

The UK GDPR sets out seven key principles:
  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security)
  • Accountability.

How does GDPR protect? ›

The full GDPR rights for individuals are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling.

What is the main intent of GDPR? ›

One of the purposes of the General Data Protection Regulation (GDPR) is to protect individuals' fundamental rights and freedoms, particularly their right to protection of their personal data. The right to one's private life is laid down in the European Convention on Human Rights (ECHR).

What happens if you breach GDPR at work? ›

This includes training employees in how to protect personal data. If they fail to do so, and an employee breaches GDPR, this could have consequences. The company could face fines and investigation by the ICO. In addition, those who've had their data breach could claim compensation if they've been harmed by the breach.

Who does GDPR not apply to? ›

The GDPR only applies to organizations engaged in “professional or commercial activity.” So, if you're collecting email addresses from friends to fundraise a side business project, then the GDPR may apply to you. The second exception is for organizations with fewer than 250 employees.

Videos

1. What is GDPR and how will it affect digital privacy around the world?
(CBS News)
2. GDPR a year later? How effective have companies been in complying with GDPR policies?
(PECB)
3. GDPR in Life Sciences - Understanding the Challenges, Impact and Opportunities
(Merit Solutions, Inc.)
4. Improve Your Company's GDPR Compliance Posture with Acronis
(Acronis)
5. Where GDPR went wrong
(TechAltar)
6. GDPR: What your company needs to know about USB drives
(Kingston Technology)
Top Articles
Latest Posts
Article information

Author: Reed Wilderman

Last Updated: 03/01/2023

Views: 5874

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.