Understanding GDPR

The General Data Protection Regulation (GDPR) is renowned for its comprehensive legal framework, defining rules and principles governing the collection and processing of personal data from European Union (EU) citizens, as well as the cross-border transfer of such data. Its strict requirements have left a significant impact on the tech industry.

Cloud computing companies, no matter where they are headquartered, are bound by GDPR if they serve EU customers. Failure to comply with GDPR’s stringent guidelines can lead to severe consequences, including hefty fines, potentially reaching up to 4% of the company’s annual global turnover, which could amount to around €20 million. In addition to financial penalties, non-compliance can damage a company’s reputation and open the door to legal liabilities for compensating individuals affected by data breaches. Notably, even tech giants such as Google and Meta have faced substantial fines and penalties, underscoring the rigorous nature of GDPR enforcement and the challenges it poses to corporations, large and small.

In this blog, you will learn about GDPR, protected data in GDPR, how data should be processed, and whether your company needs GDPR. We will also explore how BreachLock can help you meet GDPR compliance.

Understanding GDPR

The General Data Protection Regulation (GDPR) is a pivotal legislation that modernized and harmonized data privacy laws across the European Union (EU). Approved by the European Parliament on April 14, 2016, it became enforceable on May 25, 2018, replacing the previous EU Data Protection Directive from 1995. This new directive strongly emphasizes enhancing transparency in businesses and expanding the privacy rights of data subjects.

This regulation not only serves to fortify privacy rights but also governs the transfer of personal data outside the EU. GDPR encompasses 88 pages of rules, compliance requirements, and enforcement mechanisms, encapsulating 99 Articles and 173 Recitals. Its overarching objectives are to establish standardized standards for companies dealing with EU citizens’ data in cloud-based environments, unify the previously fragmented EU member state privacy laws, and bring data privacy laws in line with evolving technologies in personal data handling and transmission.

Data Protected in GDPR

In GDPR, consent from users is required for any organization or company that intends to collect and utilize personal data. Personal data, as defined by GDPR, encompasses information associated with an “identified or identifiable natural person,” commonly referred to as a “data subject.”

Personal data may encompass various types of information, including:

• Name
• Identification number
• Location data
• Any data that pertains to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Biometric data obtained through technical processes such as facial imaging or fingerprinting.
• Information regarding an individual’s health or healthcare
• Details related to a person’s racial or ethnic background.
• Political opinions or religious beliefs
• Union membership

How Data Should Be Processed Under GDPR

The essence of GDPR lies in granting individuals, referred to as data subjects, greater control over the collection, sharing, and use of their data. Data subjects have the right to expect their personal data to be protected, processed lawfully and fairly, corrected upon request, and accessible when requested.

The lawful processing of an individual’s personally identifiable information (PII) must meet at least one of six conditions:

1. Obtaining the express consent of the data subject.
2. Processing data a necessary for executing a contract with the data subject or taking steps to enter into such a contract.
3. Processing data as required for legal compliance.
4. Processing data to safeguard the vital interests of a data subject or another person.
5. Processing data for tasks carried out in the public interest or the exercise of official authority granted to the data controller.
6. Processing data for legitimate interests pursued by the data controller or a third party, unless these interests conflict with the data subject’s interests, rights, or freedoms.

How Does GDPR Define a Data Breach?

Under the GDPR, a “breach” refers to a security incident that results in accidental or unlawful destruction, alteration, loss, or unauthorized access to personal data. This breach has the potential to put an individual’s rights and freedoms at risk. When a personal data breach occurs, there are specific requirements that organizations must adhere to:

1. Notification Within 72 Hours

In the event of a data breach that affects stored personal data, the data controller (the entity responsible for managing the data) is obligated to notify the supervisory authority within 72 hours of discovering the breach. The supervisory authority is a public authority designated by an EU member country to oversee compliance with GDPR.

2. Providing Reason for Delay

If, for some valid reason, the organization cannot meet the 72-hour notification window, it must explain the delay.

3. Detailed Notification

The breach notification must contain certain key information, including the nature of the breach, the types and number of individuals’ personal data that may have been compromised, and the estimated number of data records involved. Additionally, the organization must describe the potential consequences of the breach and the steps it plans to take to mitigate these effects.

4. Direct Notification to Affected Individuals

Importantly, the organization must directly notify the individuals whose personal data may have been compromised, rather than making a general public announcement.

5. Documentation and Verification

The data controller is also required to thoroughly document the breach and the actions taken to address it. This documentation is subject to verification by the supervisory authority.

Is GDPR A Concern for Your Company?

To determine whether your company is subject to the General Data Protection Regulation (GDPR), consider the following questions:

1. Is your company actively marketing its products or services to European Union customers?
2. Do you have employees working within the European Union?
3. Does your customer base include individuals from the European Union?
4. Does your company accept payments in Euros or process transactions involving the Euro currency?

Meeting any of these conditions may subject your company to GDPR obligations. In addition to these general criteria, specific factors that mandate GDPR compliance encompass:

1. Maintaining a physical presence or establishment in an EU member state.
2. Processing or storing the personal data of EU citizens, regardless of your company’s physical location.
3. Employing over 250 staff members.
4. Employing fewer than 250 employees but engaging in data processing that impacts data subjects’ rights or involves sensitive personal data.

Moreover, certain EU-based businesses in sectors like cloud services, telecommunications, insurance, and e-gaming are automatically bound by GDPR.

For B2B and cloud-hosted companies striving to adhere to GDPR, consider these critical steps:

1. Keep thorough and current records of all data processing activities, maintaining internal documentation.
2. Revise your privacy policy’s content and language to make it user-friendly, easily accessible, and comprehensible.
3. Scrutinize and establish the legal basis for personal data processing to ensure GDPR compliance.
4. Assess your systems to ensure they accommodate GDPR user rights.
5. Keep valid records of consent and process consent in alignment with GDPR standards.
6. Embrace the principle of data minimization, emphasizing the reduction of data types processed to mitigate associated risks.

Essential In-House Roles for Achieving GDPR Compliance in Your Company

Compliance with GDPR requirements in cloud-hosted companies entails the establishment of the following key positions for overseeing mandatory.

1. Data Controller: The data controller is the primary entity entrusted with determining the purpose and legal basis for processing personal data. This role also encompasses the responsibility of ensuring that any external contractors engaged in data processing adhere to GDPR compliance.
2. Data Processor: The data processor is an individual responsible for carrying out the actual processing of personal data on behalf of the data controller. Close collaboration with the data controller is vital to ensure alignment with GDPR standards.
3. Data Protection Officer (DPO): GDPR mandates the appointment of a Data Protection Officer, responsible for overseeing data protection and monitoring compliance. This role includes tasks such as staff training and awareness initiatives. Cloud-computing companies are obliged to provide both initial and refresher training sessions in line with GDPR guidelines. Additionally, they should maintain a systematic record of these training sessions.

How BreachLock help you to address the Gap in GDPR Compliance

BreachLock is a global leader in PTaaS and penetration testing offering automated, AI-powered, and human-driven pentesting solutions. We help organizations comply with the General Data Protection Regulation (GDPR).

GDPR Compliant Penetration Testing: BreachLock penetrating testing will identify exposed assets and potential vulnerabilities in your IT and cloud environments. Our AI-powered technology will accelerate the prioritization and remediation of security weaknesses while uncovering attack patterns and behaviors that humans could never detect. BreachLock ensures that your organization has a proactive exposure management program in place using emerging technologies like PTaaS, External Attack Surface Management (EASM), penetrating testing services, and red teaming to help our customers understand exposures and prioritize vulnerabilities shifting from threat management to exposure management to be more proactive in addressing cyber threats.

Related reading: GDPR Penetration testing

About BreachLock

BreachLock is a global leader in PTaaS, penetration testing services, and EASM. BreachLock offers automated, AI-powered, and human-delivered solutions in one integrated platform based on a standardized built-in framework that enables consistent and regular benchmarks of attack tactics, techniques, and procedures (TTPs), security controls, and processes to deliver enhanced predictability, consistency, and accurate results in real-time, every time.

Schedule a discovery call with our experts to learn how BreachLock can help your company meet GDPR compliance.