It's expensive when you don't comply with the General Data Protection Regulation (GDPR) controls — take for example the €310 million fine (equivalent to $335 million dollars) that LinkedIn received from the GDPR. In this case, they shared users’ personal data for targeted advertising and behavioural analyses, without asking for user consent. Can you afford €310 million? It might be time to automate GDPR controls for 24/7 compliance.
What is the GDPR?
Back to topThe General Data Protection Regulation (GDPR) is a comprehensive law designed to protect the privacy and personal data of individuals within the European Union (EU). To comply with the GDPR, organisations must implement a variety of technical and organisational controls. These controls are essential to safeguard personal data and mitigate potential risks.
What are GDPR Controls?
GDPR controls are the specific measures and practices that organisations must implement to meet the requirements of the GDPR. These controls are designed to ensure the security, integrity, and confidentiality of personal data.
Implemented in May 2018 with eleven unique chapters, the goal of the GDPR can be summarised by Recital 4 within its chapters: the “processing of personal data should be designed to serve mankind.” The GDPR offers rights to data subjects, like the right to reject the use of their personal information for marketing. Most importantly, Article 82 stipulates that if a person has suffered material or non-material damage, they have the right to compensation.
“Personal data” as defined by the GDPR is any piece of data that relates to an identified person. The collection, management, and security of this personal data is addressed by the GDPR for key issues such as:
- Consent
- Encryption
- Email Marketing
- Right to be Informed
- Records of Process Activities
- Right of Access
- Right to be Forgotten
If you're an organisation collecting any form of personal data on residents of an EU country, you are either a “data controller” or a “processor.” The only exemptions are data used for personal or household activities, national security, and law enforcement.
Data Controllers:
- Decide why and how personal data will be processed.
- Accountable for ensuring that data processing activities adhere to the GDPR's principles.
Examples: A company that collects customer data for marketing purposes, a healthcare provider that stores patient records, or a university that maintains student information.
Data Processors:
- Carry out specific data processing tasks as instructed by the data controller.
- Does not have autonomy in deciding how or why the data is processed.
Examples: A cloud service provider storing data on behalf of a company, a payment processor handling transaction data, or a marketing agency conducting email campaigns.
The GDPR model has become the basis for similar data regulations in other countries around the world, including the UK, Brazil, Japan, and Singapore. It should also be noted that GDPR applies to all EU citizens, regardless of where the company resides.
Back to topGDPR Fines and Enforcement
What is at risk for non-compliance? There are two tiers of penalties depending on the type of violation and that max out at either €20 million euros or 4% of total global revenue, whichever is higher. And as mentioned, the data subjects also have the right to seek compensation for damages — which is an entirely different fine that must be paid.
Who enforces the GDPR and investigates complaints to determine if the GDPR has been breached?
Individual Data Protection Authorities (DPAs) from the EU member states have the authority to make sure that the data protection law is being followed through investigative and corrective means. Each of these DPAs work together as a group within the European Data Protection Board.
Social media organisations top the chart for the highest individual fines, along with retailers and communication platforms. A few of the highest individual fines + the reason that they were fined include:
- Meta (owner of companies like Facebook, WhatsApp, and Instagram), fined €1,200,000,000 for having an insufficient legal basis for data processing.
- Amazon Europe, fined €746,000,000 for not complying with the GDPR’s general processing principles.
- TikTok, fined €345,000,000 for not complying with the GDPR’s general processing principles.
Organisations aren’t the only entities receiving fines for GDPR violations; in some cases, individuals have been fined as well. Some of the most common reasons that organisations or individuals are fined include:
- Insufficient Data Protection Measures: This includes neglecting encryption, access controls, and incident response plans.
- Lack of Transparency: Organisations must be transparent about how they collect, process, and store personal data.
- Illegal Data Transfers: This includes transferring data to countries with lower data protection standards.
- Data Breach Notifications: Organisations must promptly inform the relevant authorities and affected individuals.
- Failure to Honor Data Subject Rights: Denying individuals their rights to access, rectify, erase, or restrict the processing of their personal data can result in fines.
For your own reputation, the security of your customers, and at risk of hefty fines — it’s business critical to implement GDPR controls and enforce ongoing compliance. Discover additional GDPR compliance requirements for data.
Back to topAutomate GDPR Controls
Building out GDPR controls for your infrastructure using policy as code (PAC), and then automating enforcement, can significantly reduce time spent on the endless task of compliance remediation and audit-prep. It also can help mitigate human error and improve your overall efficiency by automating tasks like:
- Centralised configuration management
- Automated patch management
- Data access control automation
- Data encryption automation
- Log management and monitoring
- Reporting
This is where Puppet help — Puppet Enterprise Advanced is equipped with Security Compliance Enforcement, which automatically and continuously enforces hardened infrastructure baselines across on-premise and hybrid cloud environments.
To avoid fines, Security Compliance Enforcement automatically creates a virtual paper trail that can help you stay continuously DPA audit ready. It also relieves the manual and continuous work of aligning with GDPR controls and then remediating when something goes wrong: automation maintains compliant configurations 24/7, even when there is an outage.
See how Puppet can enforce GDPR-specific controls with a custom demo: