If your organization is not compliant with the General Data Protection Regulations (GDPR), you risk incurring substantial fines and other penalties. So, how do you ensure that your organization is GDPR compliant?
In this article, we will set out the basics of GDPR compliance and what you need to do to meet it. This should give you a better understanding of the GDPR, which will help you keep both your organization’s and your customer’s data safe.
What Is General Data Protection Regulation (GDPR)?
The GDPR is the European Union’s current regulation on data protection and privacy. It was developed and passed by the European Union to regulate how organizations collect and handle the data of European Union citizens.
The GDPR was adopted by the European Parliament in April of 2016 and took effect in May 2018. It applies one standard to all EU member states.
However, this standard is pretty high. It often requires organizations to invest a considerable amount of time and money to ensure that they meet it. As such, compliance with the GDPR is not very easy to achieve — especially for small and medium-sized businesses.
Amongst other things, the GDPR protects the personal data of EU citizens collected during transactions that take place in the EU. It also regulates how personal data is exported outside of the EU.
Although it regulates how organizations collect, process, and use the personal data of European Union citizens, it does not only apply to organizations in the European Union.
The GDPR sets out certain criteria which, if met, make an organization subject to the GDPR, regardless of whether or not it is based in the European Union. For example, if an organization collects or targets European Union citizens’ personal data, it will be subject to the GDPR.
This means that the GDPR operates on a global scale. In fact, it is one of the strongest global privacy regulations in operation today.
Failure to comply with the GDPR can have significant consequences. It can lead to hefty fines. These often amount to millions of US dollars, especially for data breaches and misuse of data.
The Importance of The General Data Protection Regulation
The GDPR shows the EU’s strong stance against misuse and abuse of data. We live in an increasingly digital age, with targeted advertising becoming commonplace, along with ethically and legally ambiguous use of personal data.
The GDPR exists to ensure data security, especially for many consumers who are unaware of how their personal data is being collected and used. It protects against data breaches and the exploitation of consumers’ personal data.
Data Privacy On The Internet
The introduction and evolution of the internet opened a proverbial can of worms when it comes to protecting consumer privacy.
In response to this, the EU, realizing the need to update their protections for personal data, introduced the European Data Protection Directive in 1995. This set minimum data protection standards with which EU member states had to comply. Each member state was to implement its own data protection laws which complied with these standards.
However, the internet only got bigger over time. Now, we do everything from working, banking, and shopping to socializing and relaxing on the internet. The dominance of the internet in our lives has made collecting personal data a daily occurrence, with most consumers unaware of when and how websites collect or use their data.
The internet now boasts a megalith of data collection, bringing with it no shortage of controversies and consumer mistrust.
As the internet becomes an increasingly dominant force in our lives, the need for personal data protection and sophisticated regulations grows. Therefore, the authority for Europe’s data protection decided to implement a comprehensive regulatory approach to the protection and privacy of personal information in the form of the General Data Protection Regulation.
To understand the world of GDPR and GDPR compliance, you need to have a basic understanding of certain terms that are used throughout the GDPR. Let’s define some of these terms before we get into some of the more complicated bits. Note that many of these are interrelated and rely on each other.
A data subject is a natural person (i.e. not a juristic person like a company) whose personal data is collected, held, and/or processed by a data processor or data controller.
Any information related to the data subject that directly or indirectly identifies them in their private, professional, or public capacity. Examples include photos, their name, their email address, biometric data, genetic data, and more.
A subject that is responsible for determining the purposes, conditions, and means of processing the personal data of data subjects.
The subject that works with the Data Controller who is responsible for processing the personal data of the data subjects on behalf of the data controller.
An operation or set of operations, automated or manual, that is performed on the personal data of a data subject or a few data subjects. This includes collecting data, structuring data, adapting or altering data, recording data, organizing data, retrieving data, and more.
An unambiguous, specific, freely-given and informed indication that the data subject agrees to have their personal data processed. This can take the form of explicit consent or an indication of that effect.
GDPR Data Subjects Rights
The GDPR is predicated on 8 data subject rights, which inform the general data protection regulations and how they are enforced. It would be difficult to ensure GDPR compliance if you do not have, at the very least, a basic understanding of these rights.
The Right To Be Informed
Data subjects have the right to be informed about when and how their personal data is being gathered and used. Any consent they give to having their personal data gathered and used must be informed consent. This is codified in Articles 12 to 14 of the GDPR.
The Right To Access
Data subjects have the right to request copies of their personal data that is being collected and used. They may also inquire as to how you are using, processing, storing, or transferring their data. If requested, you must give the requesting data subject a free electronic copy of their personal data. This is codified in Article 15 of the GDPR.
The Right To Data Portability
Data subjects have the right to request that you transfer their data to them or another data controller. When they do, this data transfer must take place in a commonly-used machine-readable format. This is codified in Article 20 of the GDPR.
The Right To Rectification
Data subjects have the right to request that you update outdated personal data or correct inaccurate personal data. This is codified in Article 16 of the GDPR.
The Right To Erasure / The Right To Be Forgotten
Data subjects have the right to request that you erase personal data if they withdraw their consent to use their data or are no longer customers. However, this right is not absolute and is subject to certain exceptions. This right is codified in Article 17 of the GDPR.
The Right to Restrict Processing
Data subjects have the right to request that you stop processing their personal data or that you stop a certain kind of processing of their personal data. This is codified in Article 18 of the GDPR.
The Right To Object
A data subject has the right to request that you stop using or processing their personal data. If they do so, you must stop immediately. There are no exceptions to this rule. This is codified in Article 21 of the GDPR.
Data subjects also have the right to request that decisions are not made with their data based solely on profiling or automated decision-making.
The Right To Be Notified
Data subjects have the right to be notified if there has been a breach of their personal data. Should a personal data breach occur, you must notify any affected data subjects within 72 hours of you learning about the data breach.
Customer Data the GDPR Protects
The GDPR protects almost every conceivable type of data an organization would collect that could be used to identify a data subject. This includes the more obvious types of data like the subject’s name and address, as well as more obscure information like their IP address or health information.
Below is a list of the types of consumer data protected by the GDPR.
- Basic identity information, for example, your name, email address, physical address, etc. This includes user-generated data, such as social media posts.
- Genetic and other health data
- Ethnic or racial data
- Sexual Orientation
- Web data, eg your IP address, location, cookie data, and RFID tags
- Biometric data
- Political affiliations and beliefs
- Any other information that can be used to help identify a data subject
Companies Affected By The GDPR
Although the GDPR governs the privacy of EU residents, it does not only apply to EU companies. Your company will have to comply with the GDPR if you meet at least one of the following criteria:
- Your company has a presence in an EU country
- Your company processes the personal data of EU citizens, regardless of whether or not your company has a presence in an EU country.
There are, however, some nuances to GDPR compliance if your company has less than 250 employees. Some companies with less than 250 employees do not have to comply with many of the record-keeping obligations in the GDPR. However, they still have to comply with the other GDPR requirements.
This only applies to companies with less than 250 employees that meet certain requirements:
- The first of these requirements is that their data processing does not impact the rights and freedoms of EU data subjects.
- The second requirement is that the company’s data processing is not occasional.
- The third requirement is that the company’s data processing does not include special categories of data (these are set out in Article 9 of the GDPR).
- The final requirement is that the company’s data processing must not include personal data that relates to criminal offences and convictions, as set out in Article 10 of the GDPR.
Companies meet these requirements very rarely. As a result, the exceptions to GDPR compliance for companies with fewer than 250 employees do not often apply. In fact, a survey conducted by PwC revealed that 92% of companies in the USA consider GDPR compliance to be one of their top data protection priorities.
Why You Should Be GDPR Compliant
One of the biggest reasons to comply with the General Data Protection Regulation is that compliance is mandatory. However, this is not the only incentive for compliance. There are many reasons why you should be GDPR compliant, over and above the fact that it is mandatory. This is because GDPR compliance brings with it additional benefits for your company and its reputation.
Being GDPR compliant shows the world that your organization is professional and trustworthy.
If you are not GDPR compliant, you risk problems arising that could do irreparable damage to your reputation. For example, a data breach could result in fines, lawsuits, and investigations. This will harm your organization’s image. Moreover, the data breach itself could harm your reputation.
GDPR compliance is a great way to minimize your risk of data breaches and other security incidents occurring. Further, should such incidents occur, it shows the world that you have done your best to mitigate these risks.
Overall, being GDPR compliant will help improve your reputation, which is always a plus!
Increase Customer Loyalty
Customers today are increasingly prioritizing the safety of their personal data. There is a growing distrust of websites collecting and using consumers’ personal data. Therefore, consumers generally prefer organizations that will ensure that their data is safe and give them some control over their data.
If you are GDPR compliant, this signals to customers and other businesses that their data will be safe with you. It shows that you have taken certain steps to ensure the safety of their personal data.
Thus, many customers and businesses will choose to work with an organization that is GDPR compliant over one that is not.
How To Go Achieve Compliance
Achieving and maintaining GDPR compliance is no simple task. It is a variety of tasks across different areas of your business. Many of these need constant attention, and you will need to update them regularly.
You cannot ensure that your company is complying with the General Data Protection Regulation if you do not know how data is transmitted in your company.
A thorough approach to achieving and maintaining data compliance requires a strong grasp of how data subjects’ personal data is transmitted within your organization.
Make sure to understand and record how your data subject’s information moves within your company. This will help you understand where you are GDPR compliant and which areas you need to change to be GDPR compliant.
Once you have achieved GDPR compliance, having a record of how information moves within your company will make it easier for you to prove to others that you are compliant. One of the best ways to record this information is a data map.
Lastly, your data policy should highlight their right to complaint, retention periods, and the automation of data decision-making.
You must communicate all of this in a very clear and concise manner. Try to avoid legalese and don’t hide the main message in a lot of additional and unnecessary information. It must be very easy to understand. This is especially the case for any information that is addressed to a child.
No matter how technically strong your data security is, if your employees are not clued up about your security policy and how it works, mistakes can happen. The last thing you want is to have sophisticated technical security, but have an operational weak link.
To have a successful GDPR compliance project, everyone from your staff to your partners and collaborators must understand the importance and nature of your data security policy.
Set aside some time and resources to educate your staff about GDPR principles and the procedures you are implementing to ensure that your company complies with them.
Your employees and team members should, at the very least, have a basic understanding of some of the most fundamental parts of data security. These include email security, two-factor authentication, VPNs, passwords, device encryption, and more.
Your employees who will be processing sensitive data should be given further training to ensure that they have a good grasp of the GDPR.
Have a look at Article 13 of the GDPR. This will give you a good sense of how you should approach the training aspect of GDPR compliance.
Necessary Website Adjustments to Meet GDPR Compliance
Updating your website to ensure GDPR compliance can be a daunting task. However, in most cases, using consent forms and adjusting existing forms to be GDPR compliant should fix most of your problems and get you well on your way to GDPR compliance. Note that this is anecdotal, not legal, advice.
Some cookies are essential for website operation. For example, if a user puts something in an online basket, the website needs to be able to remember what was in their basket.
As soon as you start using cookies other than those that are essential to website operation, a user must consent to these cookies.
Note that you must get this informed consent from your users regardless of whether the cookie data is anonymous or personal. However, if the cookie data is personal, you will have to comply with additional rules for GDPR compliance. For example, you will need to conduct a Data Protection Impact Assessment and take a record of all data processing that occurs.
One of the most popular ways for an organization to collect personal data from their data subjects is through web forms. If you are using web forms, you must ensure that they are adjusted for GDPR compliance.
There is no set method you can follow to do this. If you are using an email marketing platform, they will often be able to guide you through this process. If you are not, take a look at the web forms used by other organizations that are GDPR compliant to get an idea of what your forms should look like.
Make It Easy To Withdraw Consent Or Opt-Out
GDPR compliance is not only about getting consent and using opt-in forms. It is also about allowing your data subjects to withdraw or change their consent and opt-out of things at any stage.
You must ensure that your data subjects know that they can withdraw or change any consent they have given whenever they want. You should also make it easy for them to withdraw their consent. For example, you can give them the option to withdraw or change their consent in your footer, through a widget or even on your cookie declaration page.
Continually Upgrade Processes, Procedures, And Policies
GDPR compliance is a continual process, not a once-off task. Every time you develop a new product or implement a new process, policy or procedure, you must ensure that it is GDPR compliant.
You should also be continually assessing your existing procedures and processes to ensure that they are in line with the GDPR.
Every time you do anything with a data subject’s data, you must consider the GDPR and whether your actions are in line with it. You should also verify any data transmission outside the EU for GDPR compliance. Moreover, every third-party contract must be drafted to comply with the GDPR.
Essentially, you should constantly consider whether your actions are in line with the GDPR. If any of them are not, this indicates a weak point in your procedures that you need to update to comply with the GDPR.
Terms and Conditions
You should also update the terms and conditions on your website to include GDPR terminology. Your terms and conditions must explain what you will do with the data subject’s information once received. Moreover, it should include how long you will keep their information on your website and in your office systems.
If a data breach occurs, you have to report it to the Supervisory Authorities within 72 hours of coming to know of the breach. Note that this is only the case for a data breach that is not anonymized or encrypted.
If you are an EU-based organization, you must report the breach to the supervisory authority in your jurisdiction. The GDPR is silent, however, on who you should report a breach to if you are not an EU-based organization. Most English-speaking non-EU organizations notify the Office of the Data Protection Commission In Ireland.
You are not only required to report the data breach to the supervisory authorities. You must also inform your data subjects about the breach unless the breach is unlikely to put them at risk. Stolen data that is encrypted, for example, will not put the data subjects at risk.
To enable you to timeously report data breaches, you must ensure that you have procedures in place that will help you identify, examine and announce data breaches, both external and internal.
You should set up a data breach matrix. It should allow you to be cognizant of the type of personal data that has been subject to the breach, the severity of this data breach, as well as the number of data subjects that are affected by the breach.
Other GDPR Concerns
All GDPR requirements are important because a failure to adhere to a single one of them will prevent your organization from being GDPR compliant.
However, some requirements are less common. We have already covered most of the common requirements for GDPR compliance that will apply to almost every organization. Now, we will consider some of the less common requirements for GDPR compliance.
If you are transmitting any data outside of the EEA or EU, you must ensure that you do not violate any GDPR requirements. Whenever your data processors intend to transmit data, they should ask for your approval before doing so.
You must also tread carefully if you are contracting with a third party, and that third party will have access to your data subject’s personal data.
If you use a third party to process personal data on your behalf, you should sign a processing agreement between your organization and the third party.
Many services that involve processing your data subjects’ personal data will have a standard processing agreement on their website. Check it out, and double-check that it is GDPR compliant before you engage in their services.
Data Protection Impact Assessment
In certain circumstances, the GDPR requires you to carry out a data protection impact assessment.
This assessment is mandatory if you are planning to use your data subject’s personal data in a way that is “likely to result in a high risk to [their] rights and freedoms.” Examples of this include deploying new technologies, leading a profiling operation that can affect individuals, or monitoring large-scale public areas.
Although this is only mandatory for high-risk data processing, it can be helpful to carry out a data protection impact assessment every time you are processing personal data.
The website of the UK Information Commissioner’s Office has a helpful checklist that you can use to carry out your data protection impact assessment.
Data Protection Officer
In certain circumstances, the GDPR requires you to have a Data Protection Officer. The Data Protection Officer should be an expert on data safety, and their job is to assess data protection risks, monitor GDPR compliance, advise you on data protection impact assessments, and cooperate with regulators.
These circumstances include if your organization is a public authority, processes sensitive data on a large scale, or regularly and systematically monitors data subjects on a large scale, you must have a Data Protection Officer.
Although it is not always mandatory to have a Data Protection Officer, it is a good idea to have one if it is feasible.
Legitimate Interest Assessment
A legitimate interest assessment is not a term that is ever directly used in the GDPR. However, it is a practice that has emerged and should be conducted when data controllers rely on lawful interests to process data.
A legitimate interest assessment is a type of risk assessment. It involves identifying your legitimate interest, showing that your data processing is necessary to achieve this interest, and balancing your data processing against the rights and freedoms of your data subjects.
Conducting a legitimate interest assessment helps support the lawfulness of your data processing.
If you are processing data from underage users, the GDPR requires you to meet additional requirements.
There are various GDPR regulations for children who are under the age of 16. These relate to things like verifying the age of the user and obtaining the consent of their guardian.
GDPR Compliant Web Design
The first step in avoiding fines and other penalties for non-compliance with the GDPR is simply understanding what the GDPR requires.
If you need help designing a GDPR-compliant website or updating your website to ensure GDPR compliance, get in touch with us and we can discuss your needs and what we can do to meet them.