Guide to GDPR Compliance for US Companies

Published/Updated January 3, 2020


Do you think the General Data Protection Regulation is just for European Union (EU) organizations? Think again.

This groundbreaking data protection law applies to all enterprises that process the personal information of EU resident citizens. It doesn’t matter where those companies are located—including on our side of the pond, in the United States.

Even if yours is a U.S.-based one-pop shop selling pencils online, you must protect the data privacy of EU customers, according to the GDPR. Otherwise, you could face crippling penalties.

For GDPR compliance, the law doesn’t care where your business is located. What it cares about is the security and integrity of EU citizens’ personal data, and protecting those citizens’ rights to privacy and to control how their data is used. To guarantee those rights, the GDPR lays out a long list of rights and regulations.

Meeting GDPR requirements can create unique burdens for U.S. companies because we have no federal laws governing information security or privacy. Among state statutes (so far), only the California Consumer Privacy Act (CCPA) comes close. But even CCPA, sometimes called “GDPR Lite,” pales in comparison to the GDPR.

Therefore, United States organizations may need to start their compliance efforts from scratch, which can be time-consuming and expensive.

Reciprocity is here to help. We’ve compiled a wealth of resources to help U.S. companies navigate this law and become GDPR compliant.

This guide contains troves of information, presented in short bursts for easy consumption. Here we answer such questions as:

  • What is GDPR compliance?
  • What are the GDPR compliance requirements?
  • How do I write a GDPR-compliant privacy policy?
  • What are the special considerations for GDPR compliance in the U.S.?
  • Where do I find a GDPR compliance checklist?

Follow the links contained throughout this guide for a deeper dive into various topics.

Then, when audit time approaches, our comprehensive GDPR audit guide walks you through your preparations step by step with a complete checklist for GDPR compliance, so you can pass the test with flying colors.

And if you want to save time and effort with user-friendly GDPR compliance software, we’ve got that covered, as well.

What Is the GDPR? Definition and Background

The General Data Protection Regulation (GDPR) is the world’s most stringent data protection regulatory framework. Enacted in the European Union (EU) on May 25, 2018, the GDPR replaced an existing data privacy law, the European Data Protection Directive 95/46/EC.

The GDPR aimed to up the ante on data security, protecting EU citizens’ personal information from data breach amid advances in technology and increasingly sophisticated cybercrime techniques.

Like the European Data Protection Directive 95/46/EC, the GDPR mandates the protection of personal data, but GDPR compliance requirements are broader in application, scope, and territory than those in the directive. Key differences include:

  • The GDPR applies to data controllers and data processors of all EU-citizen data. A data controller is the individual, organization, or enterprise that controls the data; a data processor processes the data. The two can be separate entities or the same.
  • It doesn’t prevent other European Union countries from enacting their own data privacy laws, provided those laws are GDPR-compliant.
  • Under the GDPR, data processing of all EU citizens (“data subjects”) is regulated, whether or not the processor is located in the EU and regardless of where the data processing occurs.
  • It recommends “pseudonymizing” personal data to protect data subjects’ privacy.
  • The GDPR sets rules for who oversees compliance. Among other things, it requires larger organizations—generally, those with more than 250 employees—to designate a data protection officer to monitor and report to the board on GDPR compliance.
  • The GDPR lays out 99 articles establishing rights for individuals and obligations for data controllers and processors. Among these is a requirement for data protection impact assessments (DPIA) of the likely effects on high-risk data when processes, systems, or technologies are added or changed.
  • The GDPR requires prompt reporting of data breaches to the relevant supervisory authority, and sets harsh penalties for non-compliance.

8 Rights of Individuals Under the GDPR

There are 99 General Data Protection Regulation (GDPR) provisions, rights and obligations. Most of these are obligations of the organizations collecting, processing, transmitting or storing personal data of European Union (EU) “data subjects,” which is the term the regulation uses to refer to EU citizens living in Europe whose personal information is being processed.

But the GDPR grants eight (8) rights to individuals regarding their personal data, as well. These GDPR rights are consumer rights and employee rights. Individual rights under the GDPR are as follows:

1. The Right to Be Informed

The GDPR gives individuals the right to know that you are collecting their personal data, and how you will use it, how long you will keep it, and with whom you will share it.

2. The Right of Access

The GDPR gives individuals, or “data subjects,” the right to access the data you have collected about them. You must provide this access free of charge and within one month after receiving the data subject access request verbally or in writing.

3. The Right to Rectification

Data subjects can have inaccuracies in their personal data corrected, in most cases, within one month after requesting rectification orally or in writing.

4. The Right to Erasure

Data subjects may, in certain situations, have their personal information deleted from your files and system—this is also called the “right to be forgotten”—by requesting erasure orally or writing. Again, you have one month to respond to their request.

5. The Right to Restrict Processing

If a data subject requests the restriction or suppression of their personal data, in some circumstances you must abide by their wishes. You may store their data but may not use it.

6. The Right to Data Portability

Individuals can obtain their personal data and reuse it, moving, copying, or transferring it from one place to another, if they desire.

7. The Right to Object

Individuals may object to your processing of their personal data, and can prohibit its use for direct marketing—and you must tell data subjects about this right. If you have a compelling reason to process their data, you may be able to continue doing so.

8. Rights in Relation to Automated Decision-Making and Profiling

The GDPR grants individuals specific rights regarding:

  • Automated decision-making, with no human involvement
  • Automated profiling, in which personal data is used to evaluate aspects of the data subject

The GDPR allows these actions to be carried out automatically only in certain situations. If you use automation for decision-making or profiling using personal data, you must inform the data subjects that you are doing so, give them ways to request human intervention or challenge a decision, and check your systems regularly to ensure that they are working properly.

What Are the Principles of the GDPR?

The General Data Protection Regulation (GDPR) is essentially driven by two factors: data and risk.

The GDPR sets rules for these circumstances:
  • Data processing, to ensure the privacy of data owners
  • Data protection, or safeguarding data against breaches and unauthorized use (risk)
  • Responding to breaches and theft in a timely and effective manner

Article 5 establishes seven principles that guide these rules:

    • Lawfulness, fairness and transparency. The GDPR requires companies to process personal data “lawfully, fairly and in a transparent manner in relation to the data subject.”

In the GDPR, “lawfulness” refers to your reasons or justifications for collecting and processing EU resident citizens’ personal data. Article 6 outlines the conditions necessary for lawful data collection:

      • Consent, meaning the data owner, or “data subject,” has given you permission to collect, use, and store their data
      • Performance of a contract
      • Compliance with a legal obligation
      • Protection of vital interests of the data subject or someone else
      • Performance of a public interest task, such as for public administration
      • Pursuit of legitimate interests, including direct marketing

“Fairness” applies to the ethics, including honesty and good faith, under which the data has been processed.

“Transparency” means the data subject knows who has collected their data, how it is being processed, and what it is being used for.

    • Purpose limitation. Article 5 (1) (b) states, “Personal data shall be … collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall … not be considered to be incompatible with the initial purposes.”

Why are you collecting personal data, and what will you do with it? You must not only identify your purposes, but also make them transparent to the people from whom you are collecting it, usually in a clear and concise privacy notice.

You must review your data processing policies and practices regularly.

And if your purposes or uses change, you must notify the data subjects again—unless the new use is compatible with the original one. Compatible uses under the GDPR are

      • Archiving in the public interest
      • Research, either scientific or historical
      • Compiling or measuring statistics
    • Data minimization. According to the GDPR, the personal data you process must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).”

The GDPR allows organizations to collect only the personal data they need from EU resident citizens—not a single jot more—and to keep it only for the time needed. And data subjects are entitled to review, revise, and even withdraw the information that you have collected about them—the so-called “right to be forgotten.”

    • Accuracy. The personal data you process, retain, and transmit must be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”

It is not uncommon for a database to contain mistakes—perhaps caused by inputting errors, erroneous code, formatting problems, or something else. If an error comes to your organization’s attention, you must correct it.

    • Storage limitation. You must keep personal data “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes … subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.”

The GDPR allows you to store personal data only for as long as you need it, and requires you to erase or anonymize it as soon as it is no longer useful to your organization or the public interest.

How long you may store personal data will depend largely on its classification and purpose. Each record in your system should be assigned a tag (i.e., classification) such as “highly sensitive” or “restricted,” earmarking it for deletion within a certain time frame.

Anonymizing and pseudonymizing data may allow you to work around these limits. The GDPR allows properly masked records to be treated as “out of scope,” meaning storage limitations may not apply. The law permits the use of pseudonymized data for purposes beyond those for which you originally collected it.

    • Integrity and confidentiality (security). The personal data you collect must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

This category is the most complex and broad, encompassing access controls, information security, disaster recovery, data breach response, and more.

    • Accountability. “The controller shall be responsible for, and be able to demonstrate compliance with,” the GDPR’s principles.

You, the organization in control of personal data, must take responsibility for how you handle the data and for your compliance with GDPR principles. You must be able to demonstrate your GDPR compliance with documentation showing that you have taken the appropriate measures to follow the GDPR’s rules.

What Is Personal Data under the GDPR?

The European Union General Data Protection Regulation defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’).”

An identifiable natural person, under the GDPR, is a data subject “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Let’s unpack this definition.

  • The GDPR uses the term natural person to distinguish living individuals from entities such as corporations and institutions. Personal data must relate to a living person who can be identified or identifiable, directly or indirectly, from one or more identifiers or from factors specific to the individual.
  • The GDPR addresses two types of processing of personal data:
  • That processed entirely or in part by automated means (information in electronic form)
  • That processed in a non-automated manner as part of a ‘filing system’ (manual information in a filing system).
  • An online identifier is information provided by our “devices, applications, tools, and protocols” that could be used, in combination with other personal information, to create user profiles. Online identifiers include:
    • Internet protocol (IP) addresses
    • Cookie identifiers
    • Radio-frequency identification tags (RFID)

The GDPR affords added protection for special categories of personal data (“sensitive personal data”). These data include genetic, biometric and health data, and personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership.

The Data Protection Officer oversees the handling of personal data to ensure it meets GDPR requirements.

GDPR: Data Controller vs. Data Processor

Under the General Data Protection Regulation (GDPR), only data controllers and data processors can conduct lawful processing of personal data.

Article 4 of the GDPR defines data controllers and data processors in this way:

  • Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

So the controller determines why and how personal data will be processed, and the processor processes the data for the controller. The controller and the processor may or may not be the same entity.

What is processing?

Article 4 of the GDPR defines processing as an “operation or set of operations” performed on personal data, including:

  • Collecting
  • Recording
  • Organization and structuring
  • Storing
  • Adapting or altering
  • Retrieving
  • Consulting
  • Using
  • Disclosing by transmitting, disseminating, or making available in some other way
  • Aligning or combining
  • Restricting
  • Deleting
  • Destroying

The GDPR’s Article 28 states that data controllers must use stringent vendor risk management controls to ensure that their data processors comply with the GDPR. Those measures include:

  • Data privacy risk assessments for all third parties accessing personal data
  • Continuous monitoring of critical third parties
  • Documented evidence of their GDPR compliance

Mapping GDPR-regulated data is an important part of vendor risk management. Mapping shows where the data resides within the controller’s organization and at its third-party vendors, including processors. You can’t manage what you don’t measure.

Who Needs To Comply With The GDPR?

Business and other entities that process customer data of data subjects living in the European Union (see above for the definition of “processing”) must be GDPR compliant. This new privacy law applies not only to multinational corporations but also to U.S. companies of any size that collect the personal data of European Union residents.

Some 92 percent of American companies consider themselves affected by the GDPR, according to PricewaterhouseCoopers.

Industries most likely to be affected by the GDPR, as reported in CSO Online:

  • Technology companies
  • Online retailers
  • Software companies
  • Financial services
  • Online services in a cloud environment, such as software-as-a-service
  • Retail and consumer packaged goods

If you don’t comply

Failing to comply with this important law aimed at protecting personal information could cost your organization big-time, even if yours is a U.S.-based company.

The U.S.-based search engine Google, social-media site Facebook, and technology company Apple are all reportedly under investigation or have suffered major fines for GDPR infractions.

Fines for violating time-sensitive breach notification requirements as well as transparency, consent, and privacy-protection mandates could be as high as 4 percent of your organization’s annual revenue.

GDPR Requirements: How Do You Become Compliant?

The General Data Protection Regulation is a data privacy-protection law, and GDPR compliance requirements all center on the collection, processing, transmission, storage, and use of personal data in a manner that gives the individual who owns it—the “data subject”—the utmost authority over their information.

Although the GDPR aims to protect the data privacy of all people living in the European Union, the GDPR applies to organizations around the world, including the U.S. If your organization collects data from EU residents, no matter where it is located, it must follow this law—making GDPR compliance a must for most U.S. companies.

What is GDPR compliance?

Compliance with the world’s most stringent data privacy law requires much preparation and planning, no matter your organization’s size or location. Steps to GDPR compliance include:

  1. Map your data. This step begins with access to all the information that your organization has collected and stored. You’ll need to sniff it out, like a true detective: data in storage, data being transmitted, data you’ve shared or sold, structured data, unstructured data, data in Hadoop clusters and in data centers.
    Once your inventory is complete, you can take a breath: You now meet the GDPR’s requirement that you know precisely where all your organization’s data is located. Now, it’s time to classify it.
  2. Classify your data. The GDPR allows any EU resident to take their data away from your organization and give it to someone else (“data portability”). It says data subjects can have you delete their data altogether. To comply, you’ll need to be able to identify and retrieve all the requestor’s data quickly—and the best way to do this is by tagging or otherwise classifying every piece of personal data in your possession. If the task seems onerous or time-consuming, consider using a quality governance, risk, and compliance (GRC) software.
  3. Get your policies in order. To effectively manage your GDPR compliance, you must govern your organization’s handling of personal data. Good governance involves establishing policies and procedures, including a GDPR-compliant privacy policy, for securely processing, storing, and using personal information enterprise-wide. These policies should define roles and responsibilities, determine who has access to which data and how they gain that access, and link these parties to various parts of the data map you created in step 1.
  4. Secure and protect your data. Encryption, in which data is rendered unreadable except by authorized parties; anonymization, in which identifiers are removed from data; and pseudonymization, which replaces identifying information with false data to “mask” its owners, are GDPR-approved methods for protecting the privacy of data subjects. Storing data for only as long as you need it is also an effective privacy measure.
  5. Audit yourself. Self-audits are a great way to find compliance gaps before your GDPR compliance audit. To help, we provide a complete checklist for GDPR compliance in our GDPR audit guide —but the best GDPR compliance software can perform the audit for you in a few clicks, as many times as you’d like.

Preparing for a GDPR audit

GDPR Certification: Do You Need It?

Certification attesting to compliance with the European Union’s General Data Protection Regulation (EU GDPR) will be not so much a matter of “need” as of convenience. Because, while GDPR certification is voluntary, being GDPR compliant is not.

According to Article 42 of the GDPR, GDPR certifications can be obtained from accredited certification bodies, a “competent supervisory authority,” or, in time, by the GDPR Board, which may fashion a “common certification.”

At the time this guide was written, certification was not yet available. The European Data Protection Board (EDPB) published guidelines in January 2019 for would-be GDPR certification bodies to use when auditing for GDPR compliance, but accreditation standards had not yet been issued.

The guidelines provide a glimpse of what certification standards will entail:

Certification scheme criteria must be

  • Formulated clearly, and allow practical application;
  • Derived from GDPR principles and rules:
    • Lawfulness of processing (Article 6)
    • Principles of data processing (Article 5)
    • Data subjects’ rights (Articles 12-23)
    • Obligation to notify data breaches (Article 33)
    • Obligation of data protection by design and default (Article 25)
    • Whether a data protection impact assessment has been completed, where applicable (Article 35(7)(d))
    • Technical and organizational measures (Article 32)
  • Relevant to the target audience;
  • Scalable for different sizes and types of organizations, and
  • Interoperable with other standards.

In fact, HITRUST CFS has expanded to include the GDPR, and the HITRUST Alliance has applied to have HITRUST CSF recognized as a standard for GDPR certification.

Also, the International Organization for Standardization (ISO) recently published ISO 27701, a data privacy standard that references the GDPR, leading some to speculate that it may become the certification standard.

What is GDPR compliance?

Although Article 42 of the GDPR states that certification mechanisms will be issued to data controllers and processors, the The European Data Protection Boards guidelines clarify that natural persons, such as data protection officers (DPO), cannot be certified.

GDPR certification would go instead to data privacy and information privacy processes.

Specifically, the EDPR’s guidelines state that certification bodies must assess three core components in a GDPR certification audit:

  1. Personal data (material scope of the GDPR)
  2. Technical systems (the infrastructure, such as hardware and software, used to process the personal data)
  3. Processes and procedures related to the processing operation(s)

Although GDPR compliance certification will be voluntary, it may be in your organization’s best interest to obtain one, even if your company is located in the United States. If you process the personal data of anyone living in the European Union, you will be expected to be GDPR compliant. Having a certification in hand will demonstrate your compliance not only to regulators, but also to the public and the enterprises with which you do business.

Steps & GDPR Compliance Checklist For U.S. Companies

    • Appointing a data protection officer (DPO). In some cases, having a DPO is mandatory. Article 37 of the GDPR states:

The controller and the processor shall designate a data protection officer in any case where:

      • The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
      • The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
      • The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.

“On a large scale” is typically assumed to refer to companies with 250 or more employees.

Even smaller organizations may wish to hire or appoint a DPO, however. GDPR compliance is a complex and rigorous task, and having a single go-to person in charge of getting and staying there may ease the process.

    • Data breach notification. This concept isn’t new to U.S. companies, but the 72-hour timeframe is—as well as the expanded definition of “data breach.”

Currently, in the U.S., a data breach constitutes the “unauthorized access or acquisition” of certain personal data, including Social Security numbers and credit card numbers.

The GDPR’s definition is broader: a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”

The definition of “personal data” is also expanded under the GDPR, to include information that can be directly or indirectly associated with a natural living person. This broad scope includes IP addresses.

In the event of a breach, the GDPR requires the controlling organization to notify the appropriate “data protection authority” as well as customers if the breach poses a high risk to their privacy, rights, and freedoms.

Fortunately, U.S. states and territories have laws in place establishing the proper authority to notify should a breach occur, so whom to contact should not be an issue. However, needing to do so within 72 hours may require some revision of your processes.

  • Informed consent to collect and process data. No U.S. law requires this. The California Consumer Protection Act does require many U.S. businesses to solicit consumers’ consent before collecting their personal data, including disclosing why they’re collecting it and what they intend to do with it.
  • The “right to be forgotten.” The GDPR allows EU data subjects to request that your organization delete their data from your database—and your business and its partners and vendors must comply within 60 days.
  • Data portability. Under the GDPR, EU data subjects can view the data you’ve collected about them, and can have it transferred elsewhere.

Understanding these and other GDPR concepts is essential to GDPR compliance. As difficult as it may seem, noncompliance could fare even worse, especially for multi-national entities or those with large revenues.

The GDPR imposes steep fines on organizations that violate its rigorous standards: up to 20 million Euros or 4 percent of global annual revenue, per violation, whichever is larger.

GDPR Compliance Checklist for U.S. Companies

  • Conduct an information audit—to determine whether you need to comply with the GDPR and, if so, to collect evidence for your GDPR audit
    • What personal data does your organization process? Does any of it belong to EU individuals? Are the processing activities related to offering goods or services to those individuals? If so, you probably need to comply with the GDPR.
    • Document all the personal data that you have, where it came from, and with whom you share it.
  • Educate your employees about the GDPR and what compliance entails
  • Review your privacy notices and make sure they are clear and concise, and that they explain your “lawful basis” for processing personal data
  • Put procedures in place to provide data subjects’ personal information to them or delete it within 30 days of their requesting it
  • Set up a form on your website to obtain data subjects’ consent at the time of collecting their data
  • Establish a way to verify data subjects’ identities and ages, and for obtaining the parental or guardian consent of minors before processing their data
  • Encrypt your data. Doing so can reduce your fines should your data get breached.
  • Conduct a data protection impact assessment (DPIA)—a risk assessment concerning the data your organization processes
  • Tighten your data security. End-to-end encryption is a must.
  • Appoint a data protection officer or other person to oversee GDPR compliance
  • Draw up a data processing agreement with vendors requiring GDPR compliance, and have them sign it
  • Designate a representative in an EU member state, if Article 27 requires your organization to do so
  • If yours is a multinational organization, check your compliance with GDPR Article 45, which regulates the transfer of personal data from the EU to non-EU countries

How to Audit For GDPR Compliance

Although General Data Protection Regulation (GDPR) certification isn’t yet available, audits are still necessary to know that you’re in compliance.

Whether your entity qualifies as a data controller or data processor, a good GRC software can perform audits for you, flag GDPR compliance gaps, and tell you what you need to do to become compliant. Our handy GDPR audit checklist can steer you through the process, which, with 99 rules to measure against, can be quite complex.

We recommend proceeding methodically under the guidance of a data protection officer (DPA) or other person charged with data protection governance at your organization.

Gather all your documents in advance.

These include

  • Data classification records
  • Record of processing
  • Data collection and retention policies
  • Retention management documents, including emails and data tracking records
  • Access management policies
  • Risk management policies
  • Business continuity and disaster recovery policies
  • Third-party vendor contracts and policies
  • Data security policies and protocols
  • Breach management plan
  • Privacy policies
  • Register of Subject Access Requests

Break the regulation’s many elements into discrete categories.

The GDPR is essentially driven by two factors: personal data and risk. It lays down data processing rules to ensure the privacy of data owners, rules for safeguarding personal information against breaches and unauthorized use (risk), and rules for responding to breaches and theft in a timely and effective manner.

To make your project plan easier to devise and implement, we recommend that you comb through all 99 of the GDPR rules and divide them into the categories outlined in Article 5:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

Create a GDPR project plan to guide you through audit preparations step-by-step
. With each of the GDPR’s rules duly categorized, you can now begin examining your documents to determine which of your collected data is regulated by which rule, and how.

<p§>Your project plan should address

  • The scope of compliance
  • Roles within the organization related to GDPR
  • A process analysis
  • The rights of data subjects under the GDPR, and how you will meet them

Deploying a personal information management system can help you obtain consent and manage personal data otherwise in a GDPR-compliant way.

Complying with other security frameworks can increase your chances of GDPR compliance. The International Organization for Standardization’s publication ISO 27001, which governs information security management systems (ISMS), is one example.

Penalties for GDPR Non-Compliance

The penalties for non-compliance with the General Data Protection Regulation (GDPR) range from reprimands and demands for corrective action to potentially crippling fines. These penalties apply to data controllers—organizations that collect personal data in the course of conducting sales or other transactions with EU data subjects—and third-party entities that conduct data processing activities, such as cloud providers.

Hefty fines

GDPR fines are widely known and feared, and with good reason: they can be very steep, as much as 4 percent of an enterprise’s global “turnover” (revenue).

The heftiest fines go to organizations that do not comply with the GDPR’s basic data-processing principles, such as obtaining consent from data subjects before collecting their personal information. Violating data subjects’ rights or transfer personal data to countries or international organizations that do not have adequate security also incurs steep fines.

Lesser fines—up to 2 percent of global turnover—are more common for:

  • Insufficient data documentation
  • Failing to notify the proper supervisory authority or data subjects of a data breach
  • Lack of a data protection impact assessment (DPIA)

Fines may not be the end of an entity’s penalties for failing to achieve and maintain GDPR compliance. The regulation allows data-breach victims to sue the breached organization, as well.

Reputational harm

Who doesn’t know about the millions in fines the social media company Facebook incurred for violating the GDPR? The regulation’s stringent privacy and security requirements can help safeguard an enterprise against cybercrime. This helps companies avoid negative publicity and loss of customer trust, both of which can be devastating, perhaps even more so than fines.

Competitive losses

Not being GDPR-compliant means fewer vendors and service providers may want to do business with you. If you’re hacked, they could pay the price. The GDPR requires compliance agreements between data controllers and processors, and if you can’t meet the requirements, controllers will look elsewhere. No one wants to put their data or that of their customers at risk.

GDPR vs. CCPA: Similarities

Competitive Losses

GDPR: Protects the data of individuals (“data subjects”), not corporations or other legal persons

CCPA: Protects the data of individuals (“data subjects”), not corporations or other legal persons

GDPR: Regulates the entity that establishes the means and purposes of the data processing (“controller”)

CCPA: Regulates the entity that establishes the means and purposes of the data processing (“covered business”)

GDPR: Applies to the “processing” of personal data, with “processing” defined as “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

CCPA: Applies to “collecting” (“buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means”), “selling” (“renting, disclosing, releasing, disseminating, making available transferring, or otherwise communicating personal information for monetary or other valuable consideration”) and “processing” (“any operation or set of operations that are performed on personal data” by either automated or not automated means)

GDPR: Covers “personal data,” defined as information that directly or indirectly relates to an identified or identifiable person

CCPA: Covers “personal information,” defined as information that directly or indirectly relates to or could reasonably be linked to a particular consumer or household

GDPR: Does not pertain to anonymous data, or information that has been masked so that the data subject cannot be identified

CCPA: Does not pertain to aggregate or deidentified information

GDPR: Excludes data processing that has “no connection to a professional or commercial activity”

CCPA: Excludes data processing related to the non-commercial activities of a person

GDPR: Pertains not only to controllers, but also to the third-party entities that handle their data (“processors”)

CCPA: Pertains not only to businesses, but also to their “service providers” that handle their data

Right to Erasure or Deletion

GDPR: “Right to erasure” or “right to be forgotten” allows data subjects to ask controllers to erase their data, and requires them to comply and to have their processors delete it, too.

CCPA: “Right to deletion” allows data subjects to ask controllers to erase their data, and requires them to comply and to have their processors delete it, too.

Right to Parental Consent

GDPR: Requires parental or guardian consent to collect data from children under 16

CCPA: Requires opt-in consent from children under 16 and parental or guardian consent for children under 13

Right to Opt-Out

GDPR: Provides data subjects the right to stop processing of their data at any time, and a right to object if their personal data is processed on the basis of legitimate interest or performing of a task in the public interest

CCPA: Allows consumers to ask businesses not to sell their personal data

Right to Be Informed

GDPR: Requires data controllers to inform data subjects regarding the categories of their data to be processed, the purposes of processing, the data subjects’ rights, and how to contact the data protection officer

CCPA: Requires businesses to inform consumers about the categories of personal information they will collect, how the data will be used, and their rights, including the right to opt-out, regarding the sale of their data

Right to Access

GDPR: When responding to an access request, a data controller must indicate

  • The purposes of the processing
  • The categories of personal data processed
  • The recipients or categories of recipients that have received their data
  • Sources from which data was collected

The GDPR also grants individuals the right to obtain a copy of their processed personal data.

CCPA: When responding to an access request, a business must indicate

  • The categories of personal information collected/sold
  • The categories of sources from which the personal information is collected
  • The business or commercial purpose for collecting or selling personal information
  • The categories of third parties with whom the business shares personal information

The CCPA grants individuals the right to obtain a copy of the personal information collected about them.

Right to Data Portability

GDPR: Provides data subjects with the right to receive their processed data in a “structured, commonly used, and machine-readable format,” free of charge, and to transmit that data to another controller

CCPA: Provides consumers with the right, after making a data access request, to obtain their processed information in a portable and readily usable format that they can use to transmit it elsewhere to allow for the transmission of this data to third parties

Private Right of Action Damages

GDPR: Gives data subjects the right to file suit and claim damages for “material or immaterial damage” suffered as a result of a processor’s contractual non-compliance

CCPA: Makes service providers liable for civil penalties if they use the personal information received from businesses in violation of the CCPA, and allows civil penalties for failing to comply within 30 days of a complaint.

GDPR vs. CCPA: Differences


GDPR: Applies to the processing of personal data by all entities, if done for commercial purposes

CCPA: Applies only to data processed by for-profit entities

GDPR: Applies to the processing of personal data regardless of the kind of processing

CCPA: Applies primarily to the sharing or sales of information, with some requirements triggered by collection 

GDPR: Does not exclude specific categories of personal data

CCPA: Excludes

  • Medical and protected health information covered by the Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act (HIPAA)
  • Data collected as part of a clinical trial
  • Sale of information to or from consumer reporting agencies
  • Personal information under the Gramm-Leach-Bliley Act
  • Personal information under the Driver’s Privacy Protection Act
  • Publicly available personal information

Grounds for processing

GDPR: Allows data controllers to process personal data only when there is a “legal ground” for it, including the data subject’s consent

CCPA: Requires businesses to obtain consumers’ consent when they want to profit from their data

Right to Be Informed

GDPR: Requires data controllers to provide the following information to data subjects:

  • Identity of the controller
  • Contact details of the data protection officer
  • The legitimate interest of the data controller or the third party
  • The recipients or categories of personal data
  • Transfer of data to third parties
  • Data retention period
  • The right to withdraw consent at any time
  • The right to lodge a complaint with a supervisory authority
  • When data is necessary for the performance of a contract, the possible consequences of not allowing it to be used
  • The existence of automated decision-making such as profiling, including the logic involved and consequences of such processing

CCPA: Requires businesses to provide the following information to consumers:

  • The categories of personal information collected/sold/disclosed for business purposes in the previous 12 months

Right to Access

GDPR: Applies to all the data subject’s personal data collected and processed, including the retention period, the right to lodge a complaint with the supervisory authority, the existence of automated decision making, and whether there have been any data transfers.

CCPA: Applies only to personal data collected in the 12 months preceding the request.

Right to Data Portability

GDPR: Applies only to the personal data that the data subject has provided

CCPA: Applies only to the personal data collected within the preceding 12 months

GDPR: Gives data controllers one month to respond to a request, and two more months to provide the data

CCPA: Gives businesses 45 days to respond to a request, and 45 more days to provide the data

GDPR: Allows the data subject to have one controller transmit their data directly to another controller

CCPA: Allows only for consumers to receive their data upon request. Sending that data to another business is the consumer’s prerogative

Right to Correction

GDPR: Grants data subjects the right to correct inaccuracies in their personal data, and to complete it if it is incomplete

CCPA: Does not provide this right

Right to Stop Automated Decision-Making

GDPR: Gives data subjects the right to not have decisions made about them or to be profiled by an automated system, with some exceptions

CCPA: Does not provide this right

Right to Stop Third-Party Transfer

GDPR: Does not explicitly provide this right. However, it does provide data subjects with the right to, at any time, opt-out of having their data processed for marketing purposes and withdraw their consent to having their data processed at all.

CCPA: Gives consumers the right to opt out of the sale of personal information to third parties, and requires businesses to display a “Do Not Sell My Personal Information” link in a clear and conspicuous location on their website home page. Prohibits businesses from asking to sell a consumer’s data within 12 months after the consumer has opted out.

Right to Equal Services and Price

GDPR: Does not explicitly provide this right, but it is implied in several articles

CCPA: Prohibits discrimination against consumers who exercise their rights, including

  • Denial of goods or services
  • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties
  • Providing a different level or quality of goods or services
  • Suggesting they will receive a different price or rate for goods or services

Regulator Enforcement and Penalties

GDPR: Permits supervisory authorities to levy fines for non-compliance of up to 4 percent of annual global turnover (revenues) or 20 million euros, whichever is higher

CCPA: Enforcement is by the California attorney general. Allows civil courts to impose fines for non-compliance of up to $2,500 for each violation and $7,500 per intentional violation.

Automate GDPR With Compliance Software

Compliance with the European Union’s General Data Protection Act’s requirements can seem intimidating, especially for organizations across the pond.

U.S. companies that process EU citizens’ data must comply, however. EU regulators have already shown that they will levy steep penalties for GDPR non-compliance no matter where the offending enterprise is located.

But the recent passage of the California Consumer Privacy Act (CCPA), coupled with personal-data-protection laws pending in other states, makes data privacy a moving target. How to protect data subjects’ privacy in accordance with myriad regulations and requirements, and keep up with new laws as they emerge?

Ditch Your Spreadsheets

Spreadsheets are not the answer. Modern technological problems require modern, technological solutions. The best way to establish and maintain GDPR compliance is with a quality governance, risk and compliance (GRC) software—one that tracks, manages, and ensures compliance automatically.

Reciprocity’s ZenGRC solution is one of the top compliance services in the world, and with good reason: it takes the guesswork out of GDPR compliance quickly and easily.

Our cloud-based software

  • Deploys in a few hours—as opposed to days or even weeks for on-premises solutions—and probes your systems automatically for compliance gaps
  • Displays checklists and compliance status on color-coded, user-friendly dashboards so you can see in one glance what you need to do to meet GDPR requirements
  • Surveys your third-party vendors and service providers to ensure their compliance, too, and allows you to self-audit as often as you wish, in just a few clicks
  • Collects evidence of your compliance efforts in a “Single Source of Truth” repository for easy access at audit time

The Future is Now

ZenGRC not only simplifies the task of GDPR compliance, but it can also help your organization with multiple compliance projects. Its dashboards compare and contrast requirements of more than a dozen regulations and frameworks, streamlining and simplifying compliance and saving you time, money, and hassle.

And because ZenGRC continually adds and updates its compliance frameworks, it’s well-equipped to keep pace with the fast-changing regulatory landscape. ZenGRC can lead your enterprise into a new, privacy-oriented future.

The result: worry-free, automated compliance with ZenGRC, freeing you to focus on other tasks—such as satisfying your customers and maximizing your profits. Why not contact a Reciprocity GDPR expert today for your free consultation?

Learn More

Buyers Guide to ZenGRC

Read more

What your organization can and cannot do under GDPR

Read more

Get the Facts About ZenGRC

Read more