Not everyone can be a GDPR compliance specialist, but that doesn’t mean you should ignore data protection and privacy; especially if you run a business. Even though much talk has been made of the May 2018 deadline for GDPR compliance, being GDPR-ready is not a one-time project. It’s an ongoing approach to business.
This is why GDPR puts more responsibility on organizations and increases the rights of individuals.
Some consultants we talked to say that there is no such thing as being 100% GDPR compliant. It’s more about taking a look at data and processes from an “ethical” standpoint and not as much about “tools” or “checklists”.
So, don’t search for a template, each organization has its way of doing things. Try to develop efficient data protection and privacy strategy based on your scenario. This guide is just a starting point, with a high-level and general approach. Ideally, you will need to dig into each area of your business and look at how you collect, process, disclose, store and delete data.
1. Know the key concepts and articles regarding GDPR
There are only a few situations where businesses don’t process information at all. In most cases, there are different levels of key personnel (HR, IT, marketing, security teams) that interact with customers’ data and therefore should be aware of the General Data Protection Regulation. It isn’t a one-person show. You need both technical and legal implementations.
Understanding the terms is a big step. Here are some that we will use in the guide and will help you navigate GDPR:
- Data subject – a natural person whose personal data is processed by a controller or processor.
- Data controller – the entity that determines the purposes, conditions, and means of the processing of personal data.
- Personal data – any information related to a natural person or Data Subject that can be used to directly or indirectly identify the person.
- Data processor – the entity that processes data on behalf of the Data Controller.
Next, get yourself familiar with the articles below. This will make your transition to the GDPR less difficult.
- Art. 5: Principles relating to the processing of personal data.
- Art. 6: Lawful bases of personal data processing.
- Art. 12 – 22: Data subject rights (access, data portability, right to be forgotten, etc.)
- Art. 25 & 32: Companies should implement the necessary protection measures to protect the personal data of the data subject.
2. What to do for GDPR compliance now
You should take action in a handful of different areas:
2.1. Data mapping
An important step towards compliance with GDPR is to understand how data moves in your organization. Documenting the way information flows in your company by making an inventory helps you demonstrate that you comply. A good starting point should be this data map: GDPR Data Map Template
Mapping the flow of data will also help you identify areas that could cause GDPR compliance problems. Remember that processing operations can be conducted only if the data controller can rely at least on a lawful basis. The most appropriate lawful basis will depend on the personal data being processed and the purposes for processing.
You must communicate to individuals the legal basis for processing the data, retention periods, the right to complain when customers are unhappy with your implementation, whether their data will be subject to automated decision making, and their rights under the GDPR.
Furthermore, you must provide the information in concise, easy to understand and clear language.
The GDPR is a business change project – the people you work with need to understand the importance of data protection and be trained on the basic principles of the GDPR and the procedures being implemented for compliance.
Share this article with people that need to be informed.
3. GDPR compliance steps to take next
Data controllers should always cooperate with the Supervisory Authority regarding the fulfillment of their tasks.
Schedule regular audits of data processing activities and security controls in your organization. Keep records of personal data processing up to date for proof of consent.
3.1. Check what other vendors are doing
Because GDPR has no clear-cut rules, the market will have to come up with different tactics to make sure that data is in compliance but not sacrifice user experience. A lot of companies came out with new features in the weeks before the initial GDPR deadline in May 2018, so be sure to check competitor websites for changes and best practices for your niche.
3.2. Report data breaches
You should make sure you have the right procedures in place to detect, report and investigate not only internal but also external data breaches. Be smart while setting up the data breach matrix based on data breach severity, the number of data subjects affected, type of personal data affected, etc.
Typically, you must report data breaches to the Supervisory Authority within 72 hours, unless the personal data was anonymized or encrypted.
3.3. Continue working on operational policies, procedures, and processes
As mentioned before, privacy is not a one time project. It is continuous work to make sure that the data you collect is safe and used with a proper scope. You should review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
4. Website adjustments
This topic is a little bit controversial, especially for developers and marketers. I would say that adjusting forms and getting consent for cookies should fix 80% of the issues. However, keep in mind, this is not legal advice.
4.1. Opt-In Forms
This is the standard way businesses gather information, so you need to adjust all the forms you use. There isn’t a consensus on how to best do this, but we are following our email service provider’s recommendations. This infographic on making opt-ins GDPR compliant is a good starting point.
4.2. Cookie Consent
The short version: inform your visitors in plain language about the purpose of your cookies and trackers before setting anything other than strictly necessary cookies.
There are different ways companies implement this, and the GDPR reference to cookies doesn’t clear things up. Sure, there are so-called functional cookies that are used for a session, but you need specific consent to set a cookie to track the user.
What you need to know here, is that another European regulation (ePrivacy) is coming out which will legislate cookies even more.
5. Other GDPR compliance issues to consider
Here are other aspects of the GDPR that are no less important:
5.1. Data transfer and disclosure
Eyes on personal data transfer. Make sure that your data processors will ask for your approval whenever they intend to transfer data outside the EU/EEA. The same rules apply when the data processors intend to subcontract part of the services they provide.
5.2. Data Protection Impact Assessments (DPIAs)
The GDPR introduces mandatory DPIAs for organizations involved in high-risk processing, such as new technologies being deployed, a profiling operation likely to affect individuals significantly, large-scale monitoring of a publicly accessible area, etc.
5.3. Legitimate Interests Assessments (LIAs)
Unlike DPIAs, LIAs is just a best practice developed mainly by privacy specialists and refers to all those situations when the data controllers seek to rely on legitimate interests (marketing operations, etc.). An “interest” can be considered as “legitimate” as long as the data controller can pursue this interest in a way that complies with data protection and other laws.
5.4. Data Protection Officers
The GDPR will require some organizations to designate a Data Protection Officer (DPO). Organizations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations that process what is currently known as “sensitive personal data” on a large scale.
5.5. Processing Children’s Data
If your organization processes data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians. GDPR has some specific provisions for children under 16 years old (please note art. 8 of GDPR)
6. Monitor and audit
Businesses must acknowledge that being transparent about how data is used and protected is now required by law. Each organization (including charities and public sector entities) must define a scope for which they collect specific data.
You should only collect personal information that is needed to provide the service or product and nothing more. Also, the data should not be shared for other unrelated purposes.
Another big thing is to keep the data safe from hacking, accurate and up to date, and even delete it after a period.
General Data Protection Regulation is leaving lots of room for improvement when it comes to protecting individuals. This is why the future ePrivacy Regulation will bring even more transparency, especially in Big Data, shedding some light on occurrence and purpose of analytics. This should be a good enough reason to monitor and audit your data on a regular basis.
Don’t stop here. Go to the official resources we used for this guide and learn about privacy.
In the end, there are levels of compliance, and you should decide which one fits you based on a lot more factors that the ones listed here. However, this is a great start to get you going in the right direction and towards GDPR compliance. Of course, as a business, we all need to keep ourselves competitive in the marketplace so there will be some trade-offs.