What is GDPR and how does it affect software companies? - IT Labs (2023)

Maja Lazarovska

Prospecting Manager at IT Labs

The General Data Protection Regulation (GDPR) is an EU data privacy law that went into effect on May 25, 2018. It’s designed to give individuals more control over how their data is collected, used, and protected online. It also binds organizations to strict new rules about using and securing personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection.

What is GDPR and how does it affect software companies? - IT Labs (1)

Application

Whom does the data protection law apply to?

The GDPR applies to:

  1. A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. A company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behavior of individuals in the EU.

The law does not apply if the company is a service provider based outside the EU, or provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided that the company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

(Video) GDPR: What Is It and How Might It Affect You?

The protection offered by GDPR travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country which is not a member of the EU.

The rules only apply to personal data about individuals; they don’t govern data about companies or any other legal entities.

Does GDPR Apply to the US?

GDPR applies in the US, following the points described above – if the company offers goods or services to EU/EEA residents or if the company monitors the behavior of users inside the EU/EEA.

Moreover, if a data subject from the EU living in the US would fall under the GDPR should their personal data be processed by an EU established data controllers (an entity that makes decisions about processing activities) or data processors (the ones that process personal data on behalf of the controller). Conversely, a data subject from the EU living in the US would not fall under the GDPR should their personal data be processed by a purely US established data controllers or data processors.

Small and medium-sized enterprises

The rules apply to SME, but with exceptions. Companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.

(Video) GDPR explained: How the new data protection act could change your life

Similarly, SMEs will only have to appoint a Data Protection Officer (DPO) if the processing is their main business, and it poses specific threats to the individuals’ rights and freedoms. This includes monitoring of individuals or processing of sensitive data, or criminal records, specially if it’s done on a large scale.

Principles

Key rules about data processing and conditions:

  • Lawfulness, fairness, and transparency: personal data must be processed lawfully and transparently, ensuring fairness towards the individuals whose personal data is being processed. When data is obtained from another secondary company/organization, the primary company should provide the information (who, why, how long, etc.) to the person concerned at the latest, within one month after your company obtained the personal data;
  • Purpose limitation: there must be specific purposes for processing the data, and the company must indicate those purposes to individuals when collecting their data, the company should explain in clear and plain language why they need it, how they’ll be using it, and how long they intend to keep it;
  • Data minimization: the company must collect and process only the personal data that is necessary to fulfill that purpose. IT must be adequate, relevant, and within a limited scope of use;
  • Accuracy: the company must ensure personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not;
  • Compatibility: the company can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
  • Storage limitation: the company must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected. The company should establish time limits to erase or review the data stored;
  • Integrity and confidentiality: the company must install appropriate technical and organizational safeguards that ensure the security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technology.

What is GDPR and how does it affect software companies? - IT Labs (2)Legal grounds for processing data

If consent is withdrawn, the company can no longer process the data. Once it has been withdrawn, the company needs to ensure that the data is deleted unless it can be processed on another legal ground (for example, storage requirements or as far as it is a necessity to fulfill the contract).

Obligations

Data controller and data processor

The data controller determines the purposes for which, and the means, by which personal data is processed. So, these are companies that decide ‘why’ and ‘how’ the personal data should be handled.

The company is considered as a joint controller, when together with one or more organizations, it jointly determines ‘why’ and ‘how’ personal data should be processed.

(Video) What Does GDPR Compliance Mean for Businesses?

The data processor is usually a third party external company. The data processor processes personal data only on behalf of the controller. The duties of the processor towards the controller must be specified in a contract or another legal act.

What is GDPR and how does it affect software companies? - IT Labs (3)

Data breach

If a breach occurs, the company has to notify the supervisory authority without undue delay and at the latest within 72 hours after having become aware of the breach. If the company is a data processor, it must notify every data breach to the data controller.

Demonstrating GDPR compliance

It can be a Code of Conduct prepared by a business association that has been approved by a Data Protection Authorities (DPA). A Code of Conduct may be given EU-wide validity through an implementing act of the Commission.

It can be a certification mechanism operated by one of the certification bodies that have received accreditation from a DPA or a national accreditation body or both, as decided in each EU Member State.

GDPR and software development

Every new piece of software should be fully GDPR compliant. GDPR requires companies to safeguard their users’ data and protect their privacy rights. Companies that handle personal data of European users must build their systems and processes with data protection by design and by default. Proper security measures must be taken like firewalls, encryption, data backup, etc.

(Video) GDPR Compliance Explained | What Is GDPR Compliance? | GDPR Explained | Email Marketing |Simplilearn

When a company decides to outsource some of its functions, it remains responsible for the personal data transferred to the outsourcing vendor. The only way for a company to avoid GDPR liability is to ensure that it cannot access any personally identifiable data under any circumstances, which is often impossible in practice.

In other words, the GDPR places a huge emphasis on documentation and transparency. Companies must be able to clearly describe what data they are collecting, for what purpose, for how long, and who can access them, among other things. It’s important to share relevant documents, in order to be able to prove that the necessary steps for GDPR are taken.

While the GDPR doesn’t require companies that collect data from EU citizens to provide their users with automated, real-time tools for data management, it’s in every company’s best interest to do so. Without automated data management capabilities, each data-related request would have to be followed by a lengthy identity verification process to prevent data breaches.

Key requirements

  • Pseudonymization by Default: Pseudonyms must be created for each individual, and data about the person’s identity should be stored in an area that is fully partitioned and separate from other user data. Such as information on the individual’s account within an app or software platform.
  • The Right to Be Forgotten: Every EU citizen has “the right to be forgotten,” meaning that, upon request, companies are required to discard any and all personal data related to a particular individual. Therefore, the software or database should include tools that let you isolate and delete personal data as needed.
  • The Right to Be Portable: Under this requirement, users must retain the ability to transfer their personal data from one service provider to another service provider. The company needs to configure the software, so it allows users to do so.
  • Mandatory Data Breach Reporting: If there is a data breach, the company is required to inform users and law enforcement within 72 hours. This means the company must detect a data breach in a very short order. When developing software or a mobile app, it’s generally best to maximize security measures and include a security breach detection and reporting tool that can send notifications to the tech team.
  • Privacy by Design: GDPR requires privacy by default, meaning that the software, mobile app, or website must, by default, provide users with the highest level of security and privacy. For instance, instead of automatically using a person’s name or email address as their username, the software should offer up a totally random username during the account creation process.
  • Informed Consent: Users must be allowed to provide informed consent for the collection and processing of their data. This is why so many privacy-related disclaimer panels have popped up on websites, software platforms, and mobile apps in recent months. Another example of informed consent applies to tickboxes when registering for an account. In most cases, tick boxes should not be ticked by default; the user must tick them manually.

Compliance checklists

  • What information do I really need?
  • Why am I saving it?
  • Why am I archiving this information instead of just erasing it?
  • What am I trying to achieve by collecting all of this personal information?

Dealing with citizens

  • Individuals may contact the company to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.).
  • The company must reply to their request without undue delay, and in principle, within one month of receipt of the request.
  • Dealing with requests of individuals should be carried out free of charge.
  • The company must provide the individual with a copy of their personal data free of charge.
  • The GDPR gives individuals the right to ask for their data to be deleted and organizations do have an obligation to do so, except if the data is needed to exercise the right of freedom of expression, the company has a legal obligation to keep it, or it keeps it for reasons of public interest;
  • Individuals have the right to object to the processing of personal data for specific reasons. Whether such a particular situation exists must be examined on a case-by-case basis.
  • Individuals have the right to data portability, which is to receive from the company the personal data they provided in a structured, machine-readable format, and have it transmitted to another company/organization.
  • Individuals should not be subject to a decision that is based solely on automated processing (such as algorithms), and that is legally binding or which significantly affects them.

Enforcement and sanctions

The company does not need to notify the DPA (Data Protection Authority) that it processes data. However, prior consultation with the DPA is required when a DPIA indicates that the processing of the data would pose a high risk, and residual risks remain despite the implementation of several safeguards. Your company/organization would also need to contact the DPA in the case of a data breach.

In case of non-compliance with the data protection rules infringement: the possibilities include a reprimand, a temporary or definitive ban on processing, and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.

(Video) GDPR Compliance Requirements For Marketing And Business

References

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations
https://gdpr.eu/companies-outside-of-europe/?cn-reloaded=1
https://brainhub.eu/blog/gdpr-secure-software-development-practices/
https://seventablets.com/blog/how-to-ensure-gdpr-compliance-for-software-development-projects/
https://www.datatilsynet.no/en/about-privacy/virksomhetenes-plikter/innebygd-personvern/data-protection-by-design-and-by-default/?print=true

Maja Lazarovska

Prospecting Manager at IT Labs

FAQs

How does GDPR affect a company? ›

GDPR has changed a lot of things for companies such as the way your sales teams prospect or the way that marketing activities are managed. Companies have had to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices.

What is GDPR and how will it affect you? ›

Put simply, GDPR (general data protection regulation) is a new set of rules to give people more control over their personal data. In today's world, almost every aspect of our lives resolves around data. Think about banks, shops, social media, even getting your hair done – we share personal data in most transactions.

What is GDPR and why does it matter? ›

If you don't already know, GDPR seeks to protect personal information of EU citizens by regulating how this data is stored, managed and processed. Personal data relates to any information that a person can be identified by.

Does GDPR apply to software? ›

Business owners and developers must keep the GDPR in mind when implementing or designing software that may be used to process the personal information of EU residents.

What kind of companies are affected by the GDPR? ›

Even non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it's subject to GDPR. All organizations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance.

Does GDPR protect company data? ›

Answer. No, the rules only apply to personal data about individuals, they don't govern data about companies or any other legal entities.

What are the 4 important principles of GDPR? ›

Accuracy. Storage limitation. Integrity and confidentiality (security) Accountability.

Why is GDPR important in the workplace? ›

The GDPR gives people rights to access information held about them. In addition, there are obligations for better data management and a regime of fines.

What do the 7 principles of GDPR mean? ›

The GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

What is GDPR in simple words? ›

What is the GDPR? The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone's personal data safe by requiring companies to have robust processes in place for handling and storing personal information.

How do you ensure software in GDPR compliant? ›

5 tips for building GDPR compliant software
  1. Improve your data collection, processing, and storage routines. ...
  2. Make sure to get proper user consent. ...
  3. Enhance the security of user authentication and authorization. ...
  4. Check third-party services and SDKs for GDPR compliance. ...
  5. Test your application for GDPR compliance.
13 Oct 2021

How do you know if software is GDPR compliance? ›

How to be GDPR compliant?
  1. Consider whether you really need all the data you collect. ...
  2. Encrypt all personal data. ...
  3. Consider HTTPs as an essential part of your application. ...
  4. Get your consent forms in order. ...
  5. Implement granular opt-in. ...
  6. Separate the Terms and Conditions agreement from other consent forms.

How do you protect data and software? ›

Here are some practical steps you can take today to tighten up your data security.
  1. Back up your data. ...
  2. Use strong passwords. ...
  3. Take care when working remotely. ...
  4. Be wary of suspicious emails. ...
  5. Install anti-virus and malware protection. ...
  6. Don't leave paperwork or laptops unattended. ...
  7. Make sure your Wi-Fi is secure.
8 Aug 2022

What are the major impacts of GDPR? ›

GDPR has effected significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. Further, the risk of incurring and paying out hefty fines has made companies take privacy and security more proactively.

Which industries are most affected by GDPR? ›

5 Industries Most Affected by GDPR
  1. Social Media and Online Communities. ...
  2. Online Retailers and Customer Metrics. ...
  3. Online and Modern Banking or Financial Services. ...
  4. Cloud Computing and Remote Services. ...
  5. Medical and Healthcare.

How big are companies affected by new GDPR rules? ›

As a rule, any company with over 250 employees must be GDPR compliant. They must also hire a data protection officer to keep records of the data processing activities engaged in by the business. So, if your company has fewer employees, you may not have to be GDPR compliant.

Do all companies need a GDPR policy? ›

GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it's a regular activity, concerns sensitive information or the data could threaten individuals' rights.

What happens if a company does not comply with GDPR? ›

Under GDPR, organisations who fail to comply and/or suffer a data breach could face a fine. In the most serious cases, this fine could be up to 17 million euros, or 4% of a company's annual turnover.

What is the main point GDPR? ›

The purpose of the GDPR is to provide a set of standardised data protection laws across all the member countries. This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located.

What are the three main goals of the GDPR? ›

The GDPR's three main goals are: To ensure protection of the fundamental privacy rights of Data Subjects (e.g., ensuring the security and confidentiality of Personal Data, but also ensuring proper notice, choice, right of access, rectification and erasure, just to name a few);

What are the two main aims of GDPR? ›

stop or restrict the processing of your data. data portability (allowing you to get and reuse your data for different services) object to how your data is processed in certain circumstances.

What are the benefits of GDPR? ›

There are many benefits to complying with data protection law. As well as being the law, good data protection also makes good economic sense because it saves you time and money. It also shows people that you care about their information, which is good for your reputation and your brand.

What are the 8 basic rights of GDPR? ›

Explanation of rights to rectification, erasure, restriction of processing, and portability. Explanation of right to withdraw consent. Explanation of right to complain to the relevant supervisory authority. If data collection is a contractual requirement and any consequences.

What are GDPR best practices? ›

7 best practices to ensure GDPR compliance
  • Appoint a data protection officer. ...
  • Classify all data. ...
  • Complete a privacy impact assessment. ...
  • Document, maintain and enforce privacy policies, procedures and processes. ...
  • Train employees in GDPR. ...
  • Test data breach response procedures. ...
  • Monitor and audit GDPR compliance.

How do you manage GDPR data? ›

11 things you must do now for GDPR compliance
  1. Raise awareness across your business. ...
  2. Audit all personal data. ...
  3. Update your privacy notice. ...
  4. Review your procedures supporting individuals' rights. ...
  5. Review your procedures supporting subject access requests. ...
  6. Identify and document your legal basis for processing personal data.

How do you ensure your software is secure? ›

Are you following the top 10 software security best practices?
  1. Patch your software and systems. ...
  2. Educate and train users. ...
  3. Automate routine tasks. ...
  4. Enforce least privilege. ...
  5. Create a robust IR plan. ...
  6. Document your security policies. ...
  7. Segment your network. ...
  8. Integrate security into your SDLC.
29 Jun 2020

What is the GDPR and who does it apply to? ›

GDPR is a set of EU regulations that require businesses to protect the personal data and privacy of EU residents. GDPR replaces the existing EU and UK law that protects personal data (EU Data Protection Directive 1995 and UK Data Protection Act 1998).

What questions are asked in GDPR compliance? ›

GDPR: 13 Most Asked Questions + Answers
  • Who's enforcing GDPR? ...
  • What are the penalties for non-compliance with GDPR? ...
  • What is a GDPR Data Processing Operation? ...
  • How does the GDPR handle this? ...
  • What documentation do we need to prove that we're GDPR compliant? ...
  • What are the data requirements for GDPR?
15 Mar 2022

What is the meaning of compliance in software? ›

Software compliance refers to how well an application obeys the rules in a standard. Here's where you can find the relationship between software quality and software compliance. If your application complies with software standards, it's less likely to contain bugs, security weaknesses, and design flaws.

Which software is used to protect data? ›

1. Acronis. Acronis Cyber Protect provides backup and restoration for individual files or entire systems. Users select their files that need continuous protection so that each change to those files is also backed up.

Why is it important to protect software? ›

Software security is critical because a malware attack can cause extreme damage to any piece of software while compromising integrity, authentication, and availability.

What is the common method used to protect a software? ›

Software Copyright is the most common method used to protect software. A programmer automatically owns the copyright of any program they write (it does not need to be applied for) and it lasts until 70 years after the death of the author.

› security › 3-ways-your-software... ›

The deadline for the European Union's General Data Protection Regulation (GDPR) has come and gone, yet most companies still aren't in compliance with it...
All the companies providing goods or services for the EU citizens will have to adhere to the new data protection rules or face fines of up to 4% annual global t...
Imagine discovering that €20 million disappeared from your account. This can happen if you ignore GDPR compliance for your software. Here's how to avoid it.

What are the major impacts of GDPR? ›

GDPR has effected significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. Further, the risk of incurring and paying out hefty fines has made companies take privacy and security more proactively.

How does GDPR benefit a business? ›

It provides business opportunities

Lawfulness, fairness, and transparency. Purpose limitation. Data minimization. Accuracy.

Why is GDPR important in business? ›

GDPR is important because it improves the protection of European data subjects' rights and clarifies what companies that process personal data must do to safeguard these rights. All companies and organisations that deal with data relating to EU citizens must comply by the new GDPR.

How does GDPR apply to the workplace? ›

It aims to ensure that privacy is respected and no one can access data without explicit consent from the data subject. In the workplace, this can apply to employment contracts.

What is GDPR In summary? ›

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

What are the 4 important principles of GDPR? ›

Accuracy. Storage limitation. Integrity and confidentiality (security) Accountability.

What are the benefits of GDPR? ›

There are many benefits to complying with data protection law. As well as being the law, good data protection also makes good economic sense because it saves you time and money. It also shows people that you care about their information, which is good for your reputation and your brand.

How do you ensure you comply with GDPR? ›

11 things you must do now for GDPR compliance
  1. Raise awareness across your business. ...
  2. Audit all personal data. ...
  3. Update your privacy notice. ...
  4. Review your procedures supporting individuals' rights. ...
  5. Review your procedures supporting subject access requests. ...
  6. Identify and document your legal basis for processing personal data.

Videos

1. GDPR, explained
(CNN Business)
2. GDPR a year later? How effective have companies been in complying with GDPR policies?
(PECB)
3. Sage: GDPR for Business – In Depth
(Sage)
4. What is GDPR and how will it affect digital privacy around the world?
(CBS News)
5. Understanding GDPR Part 2
(eyecare.education)
6. GDPR, CCPA, ePrivacy: How the New Privacy Landscape Will Affect Marketers
(Semrush Live)
Top Articles
Latest Posts
Article information

Author: Terence Hammes MD

Last Updated: 11/01/2022

Views: 5977

Rating: 4.9 / 5 (69 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Terence Hammes MD

Birthday: 1992-04-11

Address: Suite 408 9446 Mercy Mews, West Roxie, CT 04904

Phone: +50312511349175

Job: Product Consulting Liaison

Hobby: Jogging, Motor sports, Nordic skating, Jigsaw puzzles, Bird watching, Nordic skating, Sculpting

Introduction: My name is Terence Hammes MD, I am a inexpensive, energetic, jolly, faithful, cheerful, proud, rich person who loves writing and wants to share my knowledge and understanding with you.