GDPR Preparation Planning Checklist

The EU General Data Protection Regulation (GDPR) is bringing about a lot of changes online. Cookie banners are going up, individuals are exercising their data rights, and subscribers are being asked to refresh their consent.

You've read about the GDPR. You know the implications for your business. You have a handle on how your company processes personal data, and why it's important to do this in a secure and transparent way.

Understanding the law is important. But complying with the GDPR isn't just an intellectual exercise. Let's take a look at the practical steps you can take to ensure that you're GDPR-prepared.

Why the GDPR is Important

The GDPR has forced many companies in many countries to take a step back and examine the ways in which they process personal data.

The GDPR's broad geographic scope means that it applies to any company, European or not, that aims to offer goods and services in the EU. This means that companies in many countries are experiencing a truly rigorous data protection law for the first time.

Complying with the GDPR just makes good business sense. It will show privacy-savvy EU customers that you're treating their personal data with respect. And it will help you to avoid litigation, data breaches, and some potentially crippling GDPR fines.

Understanding the GDPR

Here are some basic terms that you should understand in order to get to grips with the GDPR:

Personal data - information that can be used, directly or indirectly, to identify a person (e.g. email address, IP address).
Processing - any operation performed on that data (e.g. storing it, sending it).
Data controller - a person or organization that determines the purposes and means of processing personal data.
Data processor - a person or organization who processes personal data on behalf of a data controller.

Preparing for Compliance

Compliance with the GDPR consists of three stages:

Readiness - understand the GDPR and map out your route to compliance.
Preparation - take practical steps to make the necessary changes to your business.
Ongoing compliance - carry out the day-to-day work of fulfilling the GDPR's requirements.

If you're reading this article, we're assuming that you're at stage two - Preparation. If you've yet to complete stage one, take a look at our GDPR Readiness Checklist.

Now we'll look at the practical changes you should implement to bring your company in line with EU privacy law.

Record Keeping

In the GDPR Readiness Checklist, we looked at how you should conduct a data audit, to map the personal data flows within your company. Once you have a handle on what personal data your business collects and processes, you can start documenting this.

Under Article 30 of the GDPR, you are required to keep records of your personal data processing activities. Companies with fewer than 250 employees are exempt from this requirement - unless they carry out high-risk data processing that:

Is "not occasional," or
Relates to special category data or criminal conviction data

To comply with Article 30, a data controller must create a document containing the following information:

Your company's contact details
Your company's representative and/or Data Protection Officer, if you have either
Details of any joint controllers
Why you process personal data
Whose personal data you process (your customers, employees, etc.)
What types of personal data you process
What types of organization you share personal data with
Details of how you carry out any international transfers
Details of your company's data security measures

A data processor has similar requirements, focused mainly on the data controllers on whose behalf it processes personal data. These are detailed at Article 30 (2).

Legal Bases

All data processing under the GDPR must take place under one of six legal bases. First, you must identify which of these legal bases applies to each type of data processing you do. Then you need to take some practical steps to make sure you're compliant.

Getting Consent Under GDPR

EU privacy law sets a very high standard for consent. Many companies find that they have been collecting their customers' consent in a way that is not valid under the GDPR.

"Implied" consent is not recognized under the GDPR - you must ask your users to consent via a "clear, affirmative act." If you're using tracking or advertising cookies, you need to ensure that they are not set on your users' computer until they have consented.

These two examples from Digital Route clearly show the difference between implied and affirmative consent. Here's a cookie banner from Digital Route that does not gain "clear, affirmative" consent:

There are two main problems with this cookie banner:

"We assume that you consent" is not a phrase that really makes sense under the GDPR
There's no easy option to decline - the user has to opt out by changing their browser settings

But take a look at this GDPR-compliant example, also from Digital Route:

There are three great things about Digital Route's second cookie banner:

The user is allowed to accept or decline tracking cookies
Both options are equally accessible
The effect of choosing either option is clearly explained

There's another common bad habit around gaining consent - the pre-ticked box. Pre-ticked boxes have to go. If you're asking users to opt out rather than in, you aren't earning their "clear, affirmative" consent.

This is simple enough to implement. Don't try to "trick" your users into consenting - give them a free choice.

Here's an example from Auger:

Auger marketing preferences subscribe form

There are five great things about Auger's marketing consent request:

There are no pre-ticked boxes
The user is given options about what they are consenting to (known as "granularity")
The newsletter is honestly described as a "marketing" newsletter
The user will be asked to confirm consent after receiving their the first email (a "double opt-in")
Auger's Privacy Policy is presented to users before they subscribe.

Conducting a Legitimate Interests Assessment

Chances are that you will not be seeking consent for every act of personal data processing that you do. In some cases, it will be in your legitimate interests to process personal data in a particular way.

If you're hoping to rely on the legal basis of legitimate interests, you must conduct a Legitimate Interests Assessment. The UK's Data Protection Authority, the Information Commissioner's Office (ICO), suggests a three-part test that you can use to assess whether legitimate interests is an appropriate legal basis for a particular method of data processing.

Here's how the ICO explains the three stages of its three-part test:

The purpose test (identify the legitimate interest),
The necessity test (consider if the processing is necessary), and
The balancing test (consider the individual's interests)

The Legitimate Interests Assessment is essentially a way to determine whether your company will be infringing anyone's privacy rights by processing personal data in a particular way. You must demonstrate that you have conducted this assessment in your Data Protection Policy.

Here's how Blackbaud explains its Legitimate Interests Assessment in its Privacy Policy:

Blackbaud Privacy Policy: Legitimate Interests clause

Security

The GDPR requires that you build data protection methods into your systems "by design and by default." This means taking specific technical measures to render your systems safe.

Pseudonymization

Pseudonymization is a method of disguising the "personal" aspects of personal data. The data can still be linked back to its owner - but only by using additional information, which is kept separately.

This method of data protection is specifically recommended in the GDPR at Article 32 and Recital 78. It's also discussed at Article 4 and Recitals 28 and 29.

There are many methods of pseudonymizing data including:

Encryption
Hashing
Tokenization

You may find that your company already applies such techniques to storing passwords or payment information. Where viable, you should roll out such practices to all the personal data you process.

The aim is to render personal data unintelligible in the result of a data breach, but intelligible in day-to-day operations. However, pseudonymization doesn't allow you to circumvent security obligations. Pseudonymized personal data should be treated as personal data because the process is reversible.

Anonymization

Anonymization ensures that the owner of the personal data cannot be identified at all. Once personal data has been fully anonymized, it is no longer personal data.

Ultimately, truly anonymized data no longer falls under the scope of the GDPR. It is a very secure way to treat personal data. However, it will also be impossible to work with this type of data in many circumstances.

The ICO provides some guidance on anonymization. Here's an example of how data might be anonymized.

The example below contains multiple pieces of personal data. In certain contexts it will not be necessary to retain this personal data.

Unscrubbed example from ICO Anonymisation: Managing Data pdf

In this example, all personal data has been "scrubbed."

Scrubbed example from ICO Anonymisation: Managing Data pdf

If this data was compromised it would be inconsequential for the interviewee. This is not personal data, and there would not be a legal obligation to store it securely.

Data Subject Rights

You need to take practical steps to ensure you're ready to facilitate your users' data subject rights. Failing to fulfill requests under these rights can lead to the involvement of your Data Protection Authority, fines or private legal action. Having a system whereby you can respond to requests within the one-month deadline is in your interests.

You can provide a form on your website that will allow your users to make data subject rights requests.

For example, Her Majesty's Passport Office provides a .doc form for this purpose.

The University of Cambridge provides a form for requests under the right of access, and gives the following advice for those wishing to submit requests under other rights:

University of Cambridge: Making a Subject Access Request - Exercising other rights section

Under the right to data portability you must provide users with a copy of their personal data in an easily accessible format. The ICO gives CSV, XML and JSON as examples of acceptable file types.

Here's how Stripe facilitates the right to data portability:

Stripe Support: Instructions for exporting card data from Stripe

Other requests might be facilitated in other ways. It almost goes without saying that you should have an unsubscribe link in your marketing emails. This is one way to partly facilitate the right to object.

International Data Transfers

If you're based in the EU and you want to transfer personal data overseas, you'll need to make sure the transfer meets certain conditions. You'll have considered this as part of your GDPR Readiness Checklist.

The European Commission has approved the following countries for international data transfers:

Andorra
Argentina
Canada (commercial organisations)
Faroe Islands
Guernsey
Israel
Isle of Man
Jersey
New Zealand
Switzerland
Uruguay
The United States of America (limited to the Privacy Shield Framework)

If your recipient is not within one of the European Commission's approved countries, or your company itself is not based in one of these countries, there are certain things you'll need to do in order to be allowed to transfer personal data out of the EU.

Standard Contractual Clauses

When transferring data from the EU to a non-approved third country, you'll need to have a contract in place. The European Commission has produced "model contracts" designed to facilitate such data transfers between data controllers, or between data controllers and data processors.

Here's a small sample of a model contract that can be used between two data controllers:

Example of model contract clause for obligations of a data importer

A contract and clause such as this will ensure that the parties are aware that all personal data must be transferred securely.

Privacy Shield

The United States is not one of the European Commission's approved countries. But there's still a way for US companies to ensure that they can easily transfer personal data out of the EU.

If you're based in the US, you will wish to consider joining the Privacy Shield. Privacy Shield certification requires you to demonstrate that your company's data protection practices are up to par. It's a long process, but it will save you a lot of trouble long term.

Data Protection Policy

Having written up a GDPR-compliant Data Protection Policy (also known as a Privacy Policy) during the "Readiness" phase, you'll need to take steps to ensure that it's easily accessible to your users.

You'll need to upload the Policy to your website and ensure that a link to your Data Protection Policy is never far away whenever a user interacts with your company.

On Your Website

Ensure your Data Protection Policy is ever-present throughout your website by adding it to a header or footer that persists as users navigate your site. Here's an example from eBay, which splits its privacy information across several policies:

If users can make purchases on your website, you should display your Data Protection Policy at checkout.

Here's how Amazon does this:

Checkout screen from Amazon UK

If you ask users to create an account, present your Data Protection Policy before they do so.

Here's how LinkedIn does this:

You should also add a Privacy Policy link to your cookie banner, as the New Yorker does:

New Yorker cookies notice with Privacy Policy link highlighted

In Other Policies

Make sure your Data Protection Policy is accessible via other policies you might have, such as your Terms and Conditions.

Here's how Procter & Gamble references its Privacy Statement in its website Terms of Use:

Proctor and Gamble Terms of Use: Privacy clause

On Your Mobile App

You must remember to make your Data Protection Policy available on your mobile app if you have one. You can provide this in your app's settings or legal menu.

Here's an example from the BBC Weather app:

In Emails

Link to your Data Protection Policy in the footer or signature of every automated email you send. This is particularly important in the case of marketing emails.

Here's an example from Capital One:

Capital One email footer with Privacy Policy link highlighted

Summary of Your GDPR Preparation Planning Checklist

Once you've made these changes to your company's systems and website, you'll be prepared for the GDPR.

Have you...

Made records of your data processing activities (if your company is required by the GDPR to do so)?
Put up GDPR-compliant consent mechanisms across your website?
Conducted a Legitimate Interests Assessment?
Implemented suitable data protection methods across your company, such as pseudonymization and anonymization?
Provided methods by which you users can access their data subject rights?
Ensured that you have suitable contracts in place, to allow for any international transfers?
Uploaded your Data Protection Policy to your website?
Placed prominent links to your Data Protection Policy across your website, policies, mobile app and email signature?