The EU General Data Protection Regulation (GDPR) is a very significant law. It introduces new consumer rights, holds businesses to a higher standard of data protection, and requires security measures to be built into information systems by design.
One of the main reasons that so many companies are rushing to comply with the law is its broad geographical scope. Many businesses are experiencing the stringent requirements of EU privacy law for the first time. And with fines of up to €20 million for non-compliance, it's crucial that your business meets those requirements.
It's not too late to start making the required changes. But first, you need to make sure you're GDPR-ready.
- 1. Why the GDPR is Important
- 1.1. Who the GDPR Applies To
- 1.2. What the GDPR Covers
- 2. Getting Ready to Prepare
- 2.1. GDPR Readiness v GDPR Preparation
- 3. Mapping Your Data
- 4. Legal Bases
- 4.1. Consent and the GDPR
- 4.2. Other Legal Bases
- 5. Data Security
- 5.1. Security-Conscious Approach
- 5.2. Technical Measures
- 5.3. Data Breach Notification
- 6. Data Subject Rights
- 7. Data Protection Impact Assessments
- 8. Data Processing Agreements
- 9. International Data Transfers
- 10. Data Protection Policy
- 11. GDPR Readiness Checklist Summary
Why the GDPR is Important
Complying with the GDPR is essential for anyone wanting to operate in within the EU - a huge market of over half a billion people. There are immense opportunities available if you're willing to comply with the EU's strict privacy laws.
Who the GDPR Applies To
It's hard to overstate how broad the scope of this law is. The GDPR applies:
- Whether you're based in the EU or not.
- Whether you're pursuing a profit or not.
- Whether you're a large multinational corporation or a single person.
The only requirement is that you offer goods or services to, or monitor the behavior of people in the EU.
What the GDPR Covers
This is another area in which the GDPR is very broad. It applies to the processing of personal data. It's hard to see how any business could operate for even a day without "processing" someone's "personal data."
"Personal data" means any information that can be used, directly or indirectly, to identify a person. This ranges from their name or their email address to more obscure information like their location or browser data. Anything that can theoretically be used to identify a person - including when used it is used in combination with other information.
"Processing" means any operation performed on that data. You might be keeping a mailing list, using tracking cookies or taking payments via your mobile app. This is all processing of personal data.
Getting Ready to Prepare
Before you set about preparing your systems for the GDPR, you must understand the law and how it applies to your business.
GDPR Readiness v GDPR Preparation
Think of GDPR compliance as a three-stage process:
- Readiness - get to know the regulation and how it applies to your business.
- Preparation - implement these changes to your business practices.
- Ongoing compliance - implement the principles of the GDPR in your everyday operations.
Right now you're at stage one - Readiness. Let's take a look at how your existing data protection habits match up against what's expected under the GDPR.
Mapping Your Data
Before you start considering how to bring your data protection practices in-line with the GDPR, you should conduct an audit within your company and find out exactly what personal data you're working with.
Leave no stone unturned. Find out what personal data you're collecting and what happens to it once you've got it.
What are your sources of personal data?
- Web forms
- Inbound email
- Log files
- Third parties
What categories of personal data do you collect?
- Email addresses
- Shipping and billing addresses
- Phone numbers
- Payment card details
- Cookie/browser data
- IP addresses
- Location data
- Special category data
For what purposes do you process personal data?
- Maintaining a mailing list
- Sending marketing emails
- Sending transactional emails
- Running targeted ads
- Taking payments
- Storing client data
- Improving website functionality
With whom do you share personal data?
- Payment processors
- Email marketing companies
- Web hosts
- Email providers
- Ad networks
- Analytics companies
- Accounting software
- Database software
Where do you store personal data?
- Office or Google documents
- Cloud drives
- Hard drives
- Portable devices
- Paper files
You must have a legal basis to process personal data in the EU. In other words, you can't process someone's personal data unless you have a good, legal reason to do so.
There are six of these under the GDPR. For many companies' purposes, consent will be the most significant legal basis when it comes to being ready for the GDPR.
Consent and the GDPR
The GDPR doesn't require you to request consent for all processing of personal data, but it does require it for some things such as sending direct marketing email or using advertising cookies.
To be ready for the GDPR, you need to make sure that you're:
- Asking for consent for the right things.
- Asking for consent in the right way.
The GDPR doesn't recognize "implied" consent, as many other privacy laws do. Consent must be given via a "clear, affirmative act."
Do you do any of the following sorts of processing?
- Using tracking/advertising cookies
- Using analytics
- Sending marketing material via:
- Sending newsletters
For each type of processing, ask yourself the following questions:
- Do you ask for consent for this type of processing?
- Did you obtain consent in a GDPR-compliant way?
- Did your users consent via a clear, affirmative act?
- Did you inform your users of their right to withdraw consent?
- Did you state or imply that your users would suffer some detriment if they refused consent?
If you obtained a user's consent in a way that was not GDPR-compliant, you may need to stop processing their data.
Other Legal Bases
Bear in mind that for consent to be meaningful, it should not be sought for all types of processing.
Here's an example from the UK's Data Protection Authority, the Information Commissioner's Office (ICO):
For each type of processing for which you're asking for consent, ask yourself:
- Do you need to carry out this processing to provide your core services to your users?
- If so, it may be more appropriate to rely on a different legal basis - contract.
- Are you legally required to carry out this processing?
- If so, you can rely on legal obligation.
- Are you carry out the processing in pursuit of a legal, ethical purpose that benefits your business, and that your customers would reasonably expect?
- You may be able to rely on legitimate interests here so long as your interests aren't outweighed by your users' rights. You'll need to carry out a Legitimate Interests Assessment.
Part of GDPR readiness means identifying an appropriate legal basis for every act of data processing you do.
The GDPR requires you to build security into your data processing systems and consider data protection in every aspect of your business.
- Do you consider the privacy implications of each type of data processing you do?
- Do you only process the personal data that is strictly necessary for your purposes?
- Do you offer your users choices about how you process their personal data?
- Do you offer the highest levels of security to your users by default without them having to take specific steps to enable this?
- Is it easy for your users to contact the people in your company who are responsible for data protection?
As well as having a "security first" mindset, there are specific technical measures you can take in order to ensure that your systems are secure enough for the GDPR.
- Does your IT department (or whoever is responsible for overseeing IT in your company) understand the significance of the GDPR?
- Do you employ the latest TLS protocol version?
- Do you encrypt, pseudonymize and/or anonymize personal data where appropriate?
- Do you have, or are you working towards, a certification such as ISO 27001?
Data Breach Notification
Under Article 33 of the GDPR, you're required to notify your Data Protection Authority in the event of a serious data breach. And for a very serious breach, under Article 34, you're also required to notify any individuals whose data has been compromised.
- Do you know which Data Protection Authority you should report to?
- Do you have breach reporting procedures that will allow you to raise the alert within 72 hours at the latest?
- Do you have a Data Breach Notification Letter prepared?
Data Subject Rights
The GDPR gives individuals certain rights over their personal data. Data controllers must help individuals facilitate those rights.
- Do you have a system (e.g. a web form) whereby your users can contact you in relation to their data rights?
- Will you be able to respond within one month of receiving a request?
You need to be ready to respond to requests from your users regarding these rights.
- Information - do you have a Data Protection Policy? We'll look at the requirements in detail below.
- Access - can you offer your users copies of any of their personal data that you process?
- Rectification - can you easily check and amend inaccurate personal data on request?
- Erasure - can you easily locate and delete a users' personal data?
- Restriction of processing - do you have a separate system for personal data under restriction, or do you have some other means of making specific sets of personal data temporarily unavailable?
- Data portability - can you offer your users a copy of their personal data in a commonly used, "machine-readable" format? Can you transfer your users' personal data to another data controller if requested?
- Objection - can you easily comply with requests that you stop processing users' data in a particular way (e.g. sending them marketing material)?
- Automated decision-making - if you make certain important decisions with very significant effects automatically (e.g. automated credit or recruitment decisions), can you offer human intervention if the decision is disputed?
Data Protection Impact Assessments
If you're undertaking a new method of data processing which carries a high risk, particularly where it involves new technologies or is very broad in scope, the GDPR requires you to undertake a Data Protection Impact Assessment (DPIA). This is a way of identifying data protection risks and taking steps to mitigate them.
According to the Article 29 Working Party, projects that have already been signed off on by a Data Protection Authority under a previous EU privacy law don't need to be signed off on again. But there may be conditions under which you need to undertake a new DPIA. It's also worth taking the time to review any existing projects in case the need for a new DPIA becomes apparent.
Think about the ways your company processes personal data. In the case of any projects that are particularly novel or risky, ask yourself:
- Has this project been previously assessed via a DPIA?
- Has the scope or nature of this project changed since the previous assessment?
- If the project is the same, has the broader technological or social context changed?
Data Processing Agreements
The GDPR distinguishes between data controllers and data processors.
- A data controllers determines the purposes and means of processing personal data.
- A data processor processes personal data on behalf of a data controller.
So, for example, an ecommerce store is a data controller, and it might use Shopify or PayPal as a data processor.
The GDPR requires that data controllers have a written contract in place with data processors, known as a Data Processing Agreement.
- Do you have a Data Processing Agreement in place with each data processor you use (or each data controller if you are a data processor)?
- Does the Data Processing Agreement contain the mandatory clauses required under Article 29 of the GDPR?
International Data Transfers
It is possible to transfer personal data out of the EU under the GDPR. But there are strict conditions around such transfers.
International data transfers are quite common. For example, if you're asking EU citizens to fill in forms on your website and your website is hosted in the United States. In each instance, you must consider the following questions:
- Has the third country received an adequacy decision from the European Commission?
- If transferring to the United States, or Switzerland, is the recipient part of an appropriate safeguard, such as the EU-U.S. Data Privacy Framework?
If not, then at least one of the following safeguards should apply:
- Do you have a contract in place containing standard data protection clauses?
- If the transfer takes place within a group of undertakings, are binding corporate rules in place?
- Does one of the exceptions to the international data transfer rules apply?
For example, consultancy company EY has binding corporate rules in place:
And here's an example of one of the standard contractual clauses adopted by the European Commission:
A clause like this can go in a contract you have with any party you transfer personal data to that's located outside of the EU and hasn't been determined by the European Commission to have an adequate level of data protection in place.
Data Protection Policy
Your company may already have a Data Protection Policy. However, it's unlikely to comply with the GDPR unless it's specifically designed to do so, so at minimum it may need to be updated.
- Your company's contact details?
- The categories of personal data that you process?
- You purposes and legal bases for processing personal data?
- The categories of third parties with whom you share personal data?
- Details of any international data transfers?
- The duration for which you store different categories of personal data?
- The rights that your users have over their personal data, and how they can exercise those rights?
GDPR Readiness Checklist Summary
Once you can answer the following questions, you'll be in a position to take practical steps to begin preparation:
- Have you mapped the flows of personal data within your company?
- Do you have a legal basis for each type of processing you do?
- Where you seek consent to process personal data, are you doing to in a GDPR-compliant way?
- Are you implementing technical measures to ensure data security across your company?
- Do you have a system in place to help you quickly report personal data breaches?
- Have you conducted a Data Protection Impact Assessment for any risky or uncertain data processing?
- Do you have a Data Processing Agreement in place with any data processors that you use?
- If you are transferring personal data to non-EU countries, are you doing so in a GDPR-compliant way?
- Do you have a GDPR-compliant Data Protection Policy?