GDPR Compliance Plan

The GDPR is currently one of the strictest privacy laws in the world, with a global reach.

Here's everything you need to understand the effects of the regulation and get your GDPR compliance plan started.

What's the GDPR?

The General Data Protection Regulation (GDPR) is the EU's new legal framework for protecting personal data and digital privacy. It's an upgraded version of the 1995 Data Protection Directive.

It strives to do two main things:

• Unify the data privacy laws throughout EU countries, and
• Strengthen the rights of European citizens when it comes to being able to protect their personal information

This new regulation enhances the Data Protection Directive by updating it to deal with modern challenges of social media, cloud computing and other areas of concern over internet privacy. A lot has changed in the world of online personal data exchange since the 90's, and the GDPR works to address these changes.

In fact, the GDPR is considered to be the most expansive, inclusive and comprehensive digital privacy law in the world to date.

The GDPR was passed in April 2016 and had an enforcement deadline of May 25, 2018.

Who does GDPR apply to?

The GDPR has expanded and broadened the reach of existing privacy laws. This means that if the Data Protection Directive didn't apply to your website/app, the new GDPR might.

For example, the previous legislation only applied to companies operating in the EU or operating from servers located within the EU. Now, however, the GDPR applies to any company that meets certain criteria regardless of its location.

Here's how to determine if it applies to you.

Ask yourself the following questions:

Do you offer products or services to citizens of the EU?

If you do offer products and services to citizens of the EU, you must comply with the GDPR.

Whether you sell tangible goods or provide internet-based services, if you do this with EU citizens as customers the GDPR applies to you, regardless of where you're located.

If you don't offer products or services at all or to citizens of the EU, keep reading. The GDPR may still apply to you.

Next, ask yourself:

Do you collect information from citizens of the EU?

If you do collect information from citizens of the EU, you will fall under the GDPR.

However, depending on how sensitive the information you collect is, you may fall under stricter standards.

The GDPR covers two categories of protected information: "personal" and "sensitive personal."

Personal Data

Similarly to the old legislation, personal data under the GDPR law refers to anything that can be used to identify a person, including but not limited to the following:

• Email addresses
• First/last names
• Mailing addresses
• Financial information
• Photos/videos
• Online identifiers (IP address, cookie strings, etc.)

If you collect this type of information, you must:

• Comply with all six privacy principles (See Appendix A), and
• Satisfy at least one processing condition (See Appendix B)

Here's an example of a sign up page that collects personal data from users and would trigger GDPR compliance. Even if just one of the pieces of data on this form was requested, compliance would still be required.

Sensitive Personal Data

Sensitive personal data under GDPR law is considered more sensitive and thus comes with greater protections and more stringent regulations.

Sensitive personal data includes but isn't limited to the following:

• Health data
• Sexual orientation
• Religious/Philosophical beliefs
• Political views
• Genetic data

If you collect this type of information, you must:

• Comply with all six privacy principles (See Appendix A), and
• Satisfy at least one sensitive personal data processing condition (See Appendix C)

Data Controllers versus Data Processors

The old Data Privacy Directive only applied to data controllers - the people who determine how and why personal data is collected for a website/app.

However, the GDPR broadens its scope to data processors as well. Data processors are the people who do the collection, storage and maintenance of user information.

Some examples of data processors include the following:

• IT service providers
• Payment processors
• Payroll companies
• Accounting services
• Cloud service providers

If you're a data processor and process data from EU citizens, you'll need to comply with special GDPR regulations including the following:

• Appointing a data protection officer
• Conducting data protection impact assessments
• Putting stricter organizational and technical security measures in place
• Keeping records of processing activities

Penalties of Non-Compliance with the GDPR

If you don't comply with the GDPR, it can come with big penalties.

Organizations can be hit with fines of up to 4% of their annual global turnover or €20 million, whichever is higher. A tiered penalty approach means that you can be fined up to 4% depending on the level of non-compliance.

For example, you may be fined 2% for not having records in order or not conducting an appropriate impact assessment.

How to Comply with the GDPR

The GDPR contains 11 chapters and 91 articles.

According to a PWC survey and study, 92% of U.S. companies consider GDPR to be a top data protection priority, with 68% of them planning to spend between $1 million and $10 million to comply with the regulation.

There are three main roles involved in ensuring compliance with GDPR for your company:

• Your data controller - determines how personal data is collected, for what purposes, and how this data is to be processed.

The "data controller" is the individual or department at your business that decides what personal data your business will collect and why. The data controller may dictate to the data processor how to process the data including how long to retain it, what rights users have to accessing their data, etc., or may allow the data processor to use its best judgment and industry standard practices.

• Your data processor - maintains and processes the data according to instruction from the data controller, or according to its own standards.

The "data processor" is a party other than an employee of the data controller. It may be an outsourced firm or third party, typically one that specializes in data processing, storage and security.

Consider the following four examples:

1. A website collects email addresses to provide a company newsletter.



The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website.

2. A mobile app shows ads to its users via a third party such as AdSense or Mixpanel.

   

   Here, the app collects user data and then implements a third party to use this data for the purpose the third party provides - showing ads. In this example, the mobile app is the data collector because it collects user data. AdSense or Mixpanel is the data processor because it processes the data through its own service in order to show ads on the app.

3. A website has a signup and login form that collects email addresses to create an account. The website doesn't use any third party services, and there are no other parties involved. In this example, the website would be both the data collector and the data processor because it is in charge of both collecting and securing/processing the data it collects through its signup process.

4. A website simply provides users with information and content. It has no signup capabilities, no login form and doesn't send out newsletters. It's a presentational website such as Wix.

   

   However, this website does use Google Analytics. In this example, Google Analytics would be both the data collector and the data processor. This is because the website itself doesn't collect any information, but rather gives Google Analytics the OK to collect what it needs to function. Google Analytics will then collect and process the information on its own.

Remember: Data controllers are the companies that collect the data, while data processors are the companies that store, process and protect the data.

Read more about the distinction and specific requirements at the GDPR's website.

Keep in mind that while old legislation dealt only with data controllers, the GDPR now deals with data processors as well.

• Your data protection officer (DPO) - oversees your data security strategy and GDPR compliance.

You only need to appoint a DPO if you:

• Process sensitive data or data relating to criminal convictions and offences - Health information, religious/political views, sexual orientation, etc., are examples of sensitive data.
• Are a public authority - Universities, publicly funded museums, state schools, etc. Courts are exempt.

OR

• Regularly monitor/process data from EU citizens on a large scale - An insurance company or bank with a significant number of EU customers is an example of this.

Learn more about DPO requirements here.

Requirements for GDPR Data Controllers

Data controllers are responsible for deciding which personal data is collected and for what purpose. This places a lot of discretion and responsibility on the data controller, which is why they have been under legal requirements since the 90's with early legislation.

The GDPR adds additional requirements for data controllers including:

Data Privacy Impact Assessments

Data Privacy Impact Assessments (DPIAs) help to evaluate the effect of the data processing on the protection of the personal data. They do this by assessing the data processing operations in place and considering risks.

Increased Consent Requirements

Data controllers will now have to get clear, unambiguous affirmative consent before collecting personal data, and explicit consent before collecting sensitive personal data.

These may sound like the same thing, but they're not. Clear and unambiguous affirmative consent doesn't have to be explicit.

For example, you can ask users for an email address in order to send them a newsletter. If a user enters an email address and submits it to you, that's clear and unambiguous consent through an affirmative act.

Here's an example of a way to get clear, unambiguous affirmative consent to collect personal data in the form of an email address:

To get explicit consent, you can make a user click a checkbox that explicitly states that by checking the box, the user is agreeing to something.

An affirmative action is different than an explicit action under the GDPR.

To recap:

If you collect personal data such as email addresses, first names, birthdates, mailing addresses:

• Get clear, unambiguous affirmative consent before collecting that personal data. Pre-ticked checkboxes, silence or inactivity can no longer be used to show consent under the GDPR.

Any conduct that clearly indicates a user is accepting to have his data processed at the time will work to show consent.

In the earlier example, the conduct that indicates consent is when a user enters her email address and clicks submit. These two actions provide clear, unambiguous affirmative consent that the company may collect that email address.

In the following example, a user will enter both a name and email address, as well as click Download before submitting personal information. These steps work to show that a user is consenting to share that personal data.

If you collect sensitive personal data such as sexual orientation, health information, religious views, etc.:

• Get explicit consent before collecting that sensitive personal data. The best way to get explicit consent is by using checkboxes next to language that clearly states what it means when a user checks that box.

Here's an example that's similar to the earlier example. While the form isn't collecting sensitive personal data, it's still getting explicit consent by using the checkbox as well as a Confirm button.

The 8 Rights of Users

The GDPR's list of the 8 rights of users will need to be respected when personal information is collected:

1. To be informed - Provide transparent information about data processing
2. Of access - Let individuals access any data you've processed from them
3. Of rectification - Let individuals rectify incomplete or inaccurate data
4. To erasure - Individuals can request you delete their data
5. To restrict processing - Individuals can block the processing of their data
6. To data portability - Individuals can reuse their data for other services
7. To object - Individuals can object to the processing of their data
8. In relation to automation - Individuals are protected from automated decision making processes

Requirements for GDPR Data Processors

Data processors are responsible for maintaining, securing and processing data collected. This may be a department or person in your company, or may be a third party you've outsourced to.

For example, a third party might be MailChimp that helps you store and process email addresses you collect.

Under the GDPR, there are a number of new obligations for data processors, including the following

Keep Written Records

Data processors will now have to maintain written records for personal data processing activities carried out for the controller.

Have Appropriate Security Measures

You must have appropriate technical and organizational measures in place to ensure an appropriate level of security and data integrity for any data you process.

Notify of Breaches

You must notify the controller without undue delay if a data breach ever occurs.

Requirements for GDPR Data Protection Officers

If you're required to have a DPO, you can hire an expert consultant or independent contractor if you don't have an in-house high-level legal compliance executive.

Your DPO will have the following duties under the GDPR:

• Educate data controllers and processors about GDPR obligations and how to fulfill them
• Monitor GDPR compliance
• Advise upper management of changes needed
• Help with informed decision making regarding data security

General Compliance with GDPR

Privacy by Design

Since the 1990's, Privacy by Design has been a general, recommended method of developing a business with privacy in mind from the beginning.

However, now Privacy by Design is a requirement under GDPR.

Privacy by Design has 7 key principles that work to keep personal data collection to a minimum, with maximum protection.

If your business falls under the GDPR, you'll need to make efforts to implement and satisfy these 7 principles:

1. Be proactive to prevent data breaches rather than just react when one occurs
2. Place higher value on privacy than on heavy data collection
3. Integrate and embed privacy into designs and updates
4. Don't view profit as more important than privacy
5. Implement full lifecycle protection for collected data
6. Be transparent with your users in your Privacy Policy and legal agreements
7. Place the user first when it comes to their data

Read more about Privacy by Design at the article linked above.

Summary

The GDPR applies to you if your business does any one of the following:

• Sells products or services to EU citizens
• Collects or uses personal or sensitive personal information from EU citizens (data controllers)
• Stores or processes personal or sensitive personal information from EU citizens (data processors)

Data controllers must:

• Conduct Data Privacy Impact Assessments
• Get appropriate consent before collecting data
• Implement Privacy by Design
• Respect the 8 rights of users

Data processors must:

• Keep written records or data processing activities
• Have appropriate security measures in place
• Notify data controllers of breaches

Your DPO must:

• Educate data controllers and processors about GDPR obligations and how to fulfill them
• Monitor your GDPR compliance
• Advise upper management of changes that need to be made
• Help with informed decision making regarding data security and compliance

Remember, you only need to appoint a DPO if your company processes data that reveals any sensitive personal information, is a public authority or regularly monitors data on a large scale from EU citizens.

Appendices

Appendix A

Six Privacy Principles

In order for your collection of personal data to be GDPR-compliant, you must follow these six privacy principles which can be found in Article 5 of the GDPR.

1. Lawful, Fair and Transparent - Data processing must not violate the GDPR tests. You must be open about what you're collecting and your process must match up with what you claim.
2. Limit your Purpose - Only collect data for "specified, explicit and legitimate" purposes and no others without further consent.
3. Minimize Collection - Limit the amount of data you collect to what's adequate and relevant for the purpose.
4. Be Accurate - Make sure the data you collect is accurate and kept up to date.
5. Limit Storage Time - Keep data for no longer than necessary and remove data after it's no longer required.
6. Protection and Confidentiality - Handle data carefully so as to secure it against loss, damage and destruction.

Appendix B

Here are the six processing conditions that you must satisfy at least one of if you collect personal data:

Personal Data Processing Conditions

1. Consent
2. Necessary for performance or prep of a contract with subject
3. Necessary for legal obligation compliance
4. Necessary to protect vital interests when consent isn't possible
5. Necessary for performance of public interest task or exercise of vested official authority
6. Necessary for purpose of legitimate interests

Learn more about the meaning of each condition here.

Appendix C

Here are the ten processing conditions that you must satisfy at least one of if you collect sensitive personal data:

Sensitive Personal Data Processing Conditions

1. Have explicit consent of subject, unless reliance on consent is prohibited by EU/Member State law
2. Necessary for fulfilling obligations under employment, social security, social protection law or collective agreement
3. Necessary to protect vital interests when consent isn't possible
4. Processing is carried out by not-for-profit for members/former members and there is no third party disclosure
5. Data is made public by subject
6. Necessary for legal claims or courts
7. Necessary for reasons of substantial public interest under law, with safeguard measures in place
8. Necessary for medical purposes on the basis of law or contract
9. Necessary for public health interests such as cross-border threats
10. Necessary for archiving purposes in public interest, science or research

Learn more about the meaning of each condition here.