How to Meet GDP Compliance

If your organization is not compliant with the General Data Protection Regulations (GDPR), you risk incurring substantial fines and other penalties. So, how do you ensure that your organization is GDPR compliant?

In this article, we will set out the basics of GDPR compliance and what you need to do to meet it. This should give you a better understanding of the GDPR, which will help you keep both your organization’s and your customer’s data safe.

What Is General Data Protection Regulation (GDPR)?

The GDPR was adopted by the European Parliament in April of 2016 and took effect in May 2018. It applies one standard to all EU member states.

However, this standard is pretty high. It often requires organizations to invest a considerable amount of time and money to ensure that they meet it. As such, compliance with the GDPR is not very easy to achieve — especially for small and medium-sized businesses.

Amongst other things, the GDPR protects the personal data of EU citizens collected during transactions that take place in the EU. It also regulates how personal data is exported outside of the EU.

Although it regulates how organizations collect, process, and use the personal data of European Union citizens, it does not only apply to organizations in the European Union.

The GDPR sets out certain criteria which, if met, make an organization subject to the GDPR, regardless of whether or not it is based in the European Union. For example, if an organization collects or targets European Union citizens’ personal data, it will be subject to the GDPR.

This means that the GDPR operates on a global scale. In fact, it is one of the strongest global privacy regulations in operation today.

Failure to comply with the GDPR can have significant consequences. It can lead to hefty fines. These often amount to millions of US dollars, especially for data breaches and misuse of data.

The Importance of The General Data Protection Regulation

The GDPR exists to ensure data security, especially for many consumers who are unaware of how their personal data is being collected and used. It protects against data breaches and the exploitation of consumers’ personal data.

Data Privacy On The Internet

In response to this, the EU, realizing the need to update their protections for personal data, introduced the European Data Protection Directive in 1995. This set minimum data protection standards with which EU member states had to comply. Each member state was to implement its own data protection laws which complied with these standards.

However, the internet only got bigger over time. Now, we do everything from working, banking, and shopping to socializing and relaxing on the internet. The dominance of the internet in our lives has made collecting personal data a daily occurrence, with most consumers unaware of when and how websites collect or use their data.

The internet now boasts a megalith of data collection, bringing with it no shortage of controversies and consumer mistrust.

As the internet becomes an increasingly dominant force in our lives, the need for personal data protection and sophisticated regulations grows. Therefore, the authority for Europe’s data protection decided to implement a comprehensive regulatory approach to the protection and privacy of personal information in the form of the General Data Protection Regulation.

GDPR Terminology

Data Subject

Personal Data

Data Controller

Data Processor

Data Processing

Obtaining Consent

GDPR Data Subjects Rights

The Right To Be Informed

The Right To Access

The Right To Data Portability

The Right To Rectification

The Right To Erasure / The Right To Be Forgotten

The Right to Restrict Processing

The Right To Object

Data subjects also have the right to request that decisions are not made with their data based solely on profiling or automated decision-making.

The Right To Be Notified

Customer Data the GDPR Protects

Below is a list of the types of consumer data protected by the GDPR.

  • Basic identity information, for example, your name, email address, physical address, etc. This includes user-generated data, such as social media posts.
  • Genetic and other health data
  • Ethnic or racial data
  • Sexual Orientation
  • Web data, eg your IP address, location, cookie data, and RFID tags
  • Biometric data
  • Political affiliations and beliefs
  • Any other information that can be used to help identify a data subject

Companies Affected By The GDPR

  • Your company has a presence in an EU country
  • Your company processes the personal data of EU citizens, regardless of whether or not your company has a presence in an EU country.

There are, however, some nuances to GDPR compliance if your company has less than 250 employees. Some companies with less than 250 employees do not have to comply with many of the record-keeping obligations in the GDPR. However, they still have to comply with the other GDPR requirements.

This only applies to companies with less than 250 employees that meet certain requirements:

  • The first of these requirements is that their data processing does not impact the rights and freedoms of EU data subjects.
  • The second requirement is that the company’s data processing is not occasional.
  • The third requirement is that the company’s data processing does not include special categories of data (these are set out in Article 9 of the GDPR).
  • The final requirement is that the company’s data processing must not include personal data that relates to criminal offences and convictions, as set out in Article 10 of the GDPR.

Companies meet these requirements very rarely. As a result, the exceptions to GDPR compliance for companies with fewer than 250 employees do not often apply. In fact, a survey conducted by PwC revealed that 92% of companies in the USA consider GDPR compliance to be one of their top data protection priorities.

Why You Should Be GDPR Compliant

Reputational Benefits

If you are not GDPR compliant, you risk problems arising that could do irreparable damage to your reputation. For example, a data breach could result in fines, lawsuits, and investigations. This will harm your organization’s image. Moreover, the data breach itself could harm your reputation.

GDPR compliance is a great way to minimize your risk of data breaches and other security incidents occurring. Further, should such incidents occur, it shows the world that you have done your best to mitigate these risks.

Overall, being GDPR compliant will help improve your reputation, which is always a plus!

Increase Customer Loyalty

If you are GDPR compliant, this signals to customers and other businesses that their data will be safe with you. It shows that you have taken certain steps to ensure the safety of their personal data.

Thus, many customers and businesses will choose to work with an organization that is GDPR compliant over one that is not.

How To Go Achieve Compliance

We advise that you start your journey to GDPR compliance by understanding how data is transmitted in your company, updating your privacy policy in line with the GDPR, and training your staff to understand and implement GDPR compliance procedures.

Data Mapping

A thorough approach to achieving and maintaining data compliance requires a strong grasp of how data subjects’ personal data is transmitted within your organization.

Make sure to understand and record how your data subject’s information moves within your company. This will help you understand where you are GDPR compliant and which areas you need to change to be GDPR compliant.

Once you have achieved GDPR compliance, having a record of how information moves within your company will make it easier for you to prove to others that you are compliant. One of the best ways to record this information is a data map.

Privacy Policy

Your privacy policy needs to tell your data subjects that you are collecting their data and why you are collecting their data. This is set out in Article 12 of the GDPR. Essentially, you need to have a legal basis for processing their data, and you must communicate this to your data subjects in your privacy policy.

Your privacy policy must also explain how your data subjects’ data is being processed, as well as who will have access to this data. In addition, it must explain what you are doing to keep their data safe.

Lastly, your data policy should highlight their right to complaint, retention periods, and the automation of data decision-making.

You must communicate all of this in a very clear and concise manner. Try to avoid legalese and don’t hide the main message in a lot of additional and unnecessary information. It must be very easy to understand. This is especially the case for any information that is addressed to a child.

Staff Training

To have a successful GDPR compliance project, everyone from your staff to your partners and collaborators must understand the importance and nature of your data security policy.

Set aside some time and resources to educate your staff about GDPR principles and the procedures you are implementing to ensure that your company complies with them.

Your employees and team members should, at the very least, have a basic understanding of some of the most fundamental parts of data security. These include email security, two-factor authentication, VPNs, passwords, device encryption, and more.

Your employees who will be processing sensitive data should be given further training to ensure that they have a good grasp of the GDPR.

Have a look at Article 13 of the GDPR. This will give you a good sense of how you should approach the training aspect of GDPR compliance.

Necessary Website Adjustments to Meet GDPR Compliance

Cookie Consent

As soon as you start using cookies other than those that are essential to website operation, a user must consent to these cookies.

You must indicate to users that they intend to use cookies. You must also tell your users why you intend on using cooking. This must be done in clear language. Only once you have done so and obtained a user’s consent can you start using cookies that are not essential to website operation.

Note that you must get this informed consent from your users regardless of whether the cookie data is anonymous or personal. However, if the cookie data is personal, you will have to comply with additional rules for GDPR compliance. For example, you will need to conduct a Data Protection Impact Assessment and take a record of all data processing that occurs.

Opt-in Forms

There is no set method you can follow to do this. If you are using an email marketing platform, they will often be able to guide you through this process. If you are not, take a look at the web forms used by other organizations that are GDPR compliant to get an idea of what your forms should look like.

Make It Easy To Withdraw Consent Or Opt-Out

You must ensure that your data subjects know that they can withdraw or change any consent they have given whenever they want. You should also make it easy for them to withdraw their consent. For example, you can give them the option to withdraw or change their consent in your footer, through a widget or even on your cookie declaration page.

Continually Upgrade Processes, Procedures, And Policies

You should also be continually assessing your existing procedures and processes to ensure that they are in line with the GDPR.

Every time you do anything with a data subject’s data, you must consider the GDPR and whether your actions are in line with it. You should also verify any data transmission outside the EU for GDPR compliance. Moreover, every third-party contract must be drafted to comply with the GDPR.

Essentially, you should constantly consider whether your actions are in line with the GDPR. If any of them are not, this indicates a weak point in your procedures that you need to update to comply with the GDPR.

Privacy Notice

Terms and Conditions

Report Breaches

If you are an EU-based organization, you must report the breach to the supervisory authority in your jurisdiction. The GDPR is silent, however, on who you should report a breach to if you are not an EU-based organization. Most English-speaking non-EU organizations notify the Office of the Data Protection Commission In Ireland.

You are not only required to report the data breach to the supervisory authorities. You must also inform your data subjects about the breach unless the breach is unlikely to put them at risk. Stolen data that is encrypted, for example, will not put the data subjects at risk.

To enable you to timeously report data breaches, you must ensure that you have procedures in place that will help you identify, examine and announce data breaches, both external and internal.

You should set up a data breach matrix. It should allow you to be cognizant of the type of personal data that has been subject to the breach, the severity of this data breach, as well as the number of data subjects that are affected by the breach.

Other GDPR Concerns

However, some requirements are less common. We have already covered most of the common requirements for GDPR compliance that will apply to almost every organization. Now, we will consider some of the less common requirements for GDPR compliance.

Data Disclosure/Transmission

You must also tread carefully if you are contracting with a third party, and that third party will have access to your data subject’s personal data.

If you use a third party to process personal data on your behalf, you should sign a processing agreement between your organization and the third party.

Many services that involve processing your data subjects’ personal data will have a standard processing agreement on their website. Check it out, and double-check that it is GDPR compliant before you engage in their services.

Data Protection Impact Assessment

This assessment is mandatory if you are planning to use your data subject’s personal data in a way that is “likely to result in a high risk to [their] rights and freedoms.” Examples of this include deploying new technologies, leading a profiling operation that can affect individuals, or monitoring large-scale public areas.

Although this is only mandatory for high-risk data processing, it can be helpful to carry out a data protection impact assessment every time you are processing personal data.

The website of the UK Information Commissioner’s Office has a helpful checklist that you can use to carry out your data protection impact assessment.

Data Protection Officer

These circumstances include if your organization is a public authority, processes sensitive data on a large scale, or regularly and systematically monitors data subjects on a large scale, you must have a Data Protection Officer.

Although it is not always mandatory to have a Data Protection Officer, it is a good idea to have one if it is feasible.

Legitimate Interest Assessment

A legitimate interest assessment is a type of risk assessment. It involves identifying your legitimate interest, showing that your data processing is necessary to achieve this interest, and balancing your data processing against the rights and freedoms of your data subjects.

Conducting a legitimate interest assessment helps support the lawfulness of your data processing.

Children’s Data

There are various GDPR regulations for children who are under the age of 16. These relate to things like verifying the age of the user and obtaining the consent of their guardian.

GDPR Compliant Web Design

If you need help designing a GDPR-compliant website or updating your website to ensure GDPR compliance, get in touch with us and we can discuss your needs and what we can do to meet them.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Parachute Design

Parachute Design Group Inc. is a boutique Toronto web design agency specializing in beautiful hand-made website design, custom logo design and branding.