A step-by-step guide to GDPR compliance
What is GDPR?
The General Data Protection Regulation (GDPR) is a landmark digital privacy regulation introduced by the European Union in 2016. After a 2-year transition period, the legislation went into full effect in May 2018.
The GDPR is a set of rules that describe how companies should handle data of any potential, current, or previous customer from the European Union. Failure to comply leads to hefty fines. Article 83 of the GDPR stipulates that organizations can be subject to fines up to €20 million, or 4% of the company's annual global turnover, whichever is greater.
What does the GDPR mean to businesses?
What's become clear from the years over which the GDPR has been in effect is that every business should take user privacy seriously. Here’s why:
- It's a reasonable and cost-effective practice.
- From small family businesses to giant conglomerates, those failing to comply with the GDPR have been fined.
- GDPR rules can apply to any business regardless of its location.
- Minimizing data collection limits your risks.
- Data protection laws will not be loosened any time soon.
- The GDPR is not the only global data privacy law you must comply with.
All this means that you must evaluate your data collection and follow the rules laid out in the 99 articles of the GDPR. At its core, the GDPR is about two things: first, it’s about protecting the data you collect; and, second, about transparency of data handling practices to users and their choice.
What companies are impacted by the GDPR?
Even though the GDPR was implemented by the European Commission and the European Parliament, the GDPR affects every company that collects, stores, or transfers data of users in the European Union. The regulation lays down exceptions for inadvertent data collection, but whether or not those exceptions apply largely depends on the individual business.
Please note: GDPR compliance has many aspects, and only a legal professional can answer you definitively what steps you should take to protect your company and your clients. Legally, we're not in a position to do that. But we can help you understand the GDPR a little bit better by introducing you to its core principles.
If you are dealing with European customer data, the 6 guiding principles of the GDPR will help you stay on track.
7 principles for GDPR compliance
Lawfulness, fairness, and transparency
A company must have a legal basis to process user data, such as their consent. However, it can’t obtain this consent by means of deception. In other words, the purpose of the data must be explained clearly, and giving consent should be a deliberate action, as opposed to tactics like pre-checked boxes or unclear wording.
Any company that collects data must demonstrate transparency and also specify certain information, such as (as per Article 14 of the GDPR):
- Who the data controller is and ways to contact them;
- Personal data categories;
- Recipients of the personal data and/or their categories;
- Intentions to transfer personal data to a third country or an international organization;
- The period for which the data will be stored.
Most importantly, make sure that anyone can easily ask to see their data as well as have it deleted or updated.
While it closely ties in with the previous principle, data minimization emphasizes the importance of restraining unlimited data collection. So, if a company can easily provide the service without collecting some of the data, it should not collect such data in the first place.
Any company should keep the collected data as accurate as possible and give users an easy way to update their information. If for some reason the company can't correct the outdated information, it should at least delete that data.
Integrity, confidentiality, and storage limitation
While these principles are separated into two articles in GDPR, both focus on data storage. Integrity and confidentiality suggest that user data must be secure and protected at all times. It should also be anonymized and encrypted when possible.
Storage limitation specifies that you cannot keep data for longer than needed. How much longer? While the GDPR acknowledges that it can be difficult to determine the amount of time for data storage, but emphasizes that data storage can’t be unrestricted.
Article 5(2) of the GDPR can be considered an additional, seventh principle, which simply states that the company is responsible for the data it collects even if it hires a third party to handle the collection.
Accountability is also about the future. For example, the company should have a response plan in case of a data breach and, should it happen, act with transparency, integrity, and accountability.
6-point plan to stay GDPR compliant
1. Consider legal advice
The way the GDPR is written will mean different things for different companies. A legal professional will detail all your responsibilities as well as the applicable exceptions. Regardless of the complexity of your data collection procedures, working from a checklist provided by a professional will be much less stressful.
2. Hire a data officer
The GDPR is a big responsibility, and someone should take it on. Some companies are taking a step further and establishing a new role — Data Protection Officer, even when they aren’t required to. Whether it's someone from your company, a new hire, or an outside firm depends on a variety of factors. But it has to be someone.
3. Make sure everyone understands the GDPR
The company's data collection procedures should be clear to everyone in your company. An open communication channel works as a safeguard against departments accidentally starting data collection without approval.
4. Perform regular checks
5. Update your website
For many small businesses, GDPR compliance may require only simple tweaks. For example, a website update. We're all too familiar with cookie consent, but there's more to websites being GDPR-friendly. For example, if you collect any data on the site, like email addresses, you should clearly explain the purpose and extent to which that data will be used.
6. Have a response plan ready
When an accident or a cyberattack happens, even a few minutes can make a huge difference in terms of money and reputation losses. List the potential vulnerabilities and prepare an incident response plan. To prevent unpleasant surprises during a troublesome time, everyone at the company should be familiar with how they should act. For example, how will you notify your customers? How can the customers inform you about any abnormalities with their accounts?
The GDPR is complex, vague, and far from perfect. But compliance with the regulation will not become a headache if you have a long-term plan, commit to a continuous effort, and focus on transparency at all times.