October 5, 2021

Who should comply with GDPR?

Written by

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

You may have heard of GDPR within the last few years, but do you know what GDPR is? GDPR, or the General Data Protection Regulation, is a law that was instituted by the European Union to protect the data collection and data use rights of its residents no matter where their activities took them. It’s a comprehensive data security law, so it leaves many business operators asking, “When it comes to GDPR, do I need to comply?”

It all depends on how you’re conducting business and with whom you’re conducting business. Let’s take a closer look at the question of who should be GDPR compliant.

‍

‍

Who has to comply with GDPR?

According to the way GDPR is written, it applies to any entity (any person, business, or organization) that collects or processes personal data from any person in the European Union. For example, any business that accepts orders from EU-based users must be GDPR compliant. Anyone who has a website that collects data about its visitors and is able to receive visitors in the EU also needs to be GDPR compliant.

The law is written this way because it’s designed to protect the data and privacy rights of any internet users within the EU, no matter where they go online or where they shop. So in general, if you do business with EU residents, you’re required to comply with GDPR.

‍

What information does GDPR apply to?

When you hear that GDPR applies to anyone who collects or processes personal information about EU residents, the natural next question to ask is, “What do they define as personal information?”

For the purposes of GDPR, “personal information” or “personal data” includes just about anything. It includes the person’s basic information like their name and date of birth, as well as their geographic information, IP address, cookie identifiers, health data, payment information, and more.

‍

Do we need to be GDPR compliant if we’re not Based in the EU?

This is a common question that has led to many misunderstandings. Because GDPR is written in a way to protect EU users, even people and organizations based outside the EU need to comply if they will be taking in any data from EU users.

In reality, there may be more organizations that do need to comply with GDPR than those that don’t. For example, if you are a US-based app developer, your app is exclusively available on US-only app stores, and you only collect data from users who have downloaded the app, you wouldn’t need to be GDPR compliant because no one in the EU can download your app.

‍

Do I need GDPR for my website?

In the vast majority of cases, if you have a website, then yes, you do need to comply with GDPR. Most websites collect some type of data. Even if you aren’t using cookies and other types of automated data collection, if you have a contact form on your website and an EU user could fill it out, you’re responsible for complying with GDPR as a result.

If you have a website and you’re asking, “Do I need to be GDPR compliant,” one of the rare cases in which the answer would be “no” is if your website is restricted to specific geographic locations that aren’t in the EU. In this case, your site can’t be accessed by anyone in the EU.

‍

When do we have to be GDPR compliant?

GDPR is a relatively new law, so when do you need to be GDPR compliant? GDPR was adopted as a law by the EU in 2016 and they provided a two-year transition period, so the law fully took effect in May 2018. Since it is now a few years past 2018, every person, organization, or business that may process or collect information from EU residents must be GDPR compliant now.

If you aren’t currently compliant with GDPR, it’s important to take steps to become compliant immediately because the penalties for non-compliance range between €10 million and €20 million, or higher depending on your annual global turnover. If you are launching a new EU-accessible website or opening a business that will serve EU customers, it’s best to become GDPR compliant before your site or business goes live.

‍

How to get started with GDPR compliance

If you’ve just discovered that you need to comply with GDPR, don’t panic. You can start taking concrete steps toward your compliance right away. There are automated platforms that make it easy by scanning your system to determine which compliance requirements you already meet and which ones you need to correct. When you’ve met all the requirements for GDPR compliance, the platform can easily document each of these requirements so you can reference them at any time.

‍

Learn more about compliance requirements

Your GDPR compliance checklist

_PCI Compliance in 3 Steps

Why a SOC 2 is the Most Accepted Security Compliance Standard

‍Your HIPAA Compliance Checklist

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail