On this page
- 1. 16 Questions to Ask
- 1.1. 1. Are you a data controller or data processor?
- 1.2. 2. What personally identifiable information do you collect?
- 1.3. 3. Do you collect more data than you need for your core function?
- 1.4. 4. Do you collect the data of persons under 18 years old?
- 1.5. 5. What methods of data collection do you use?
- 1.6. 6. Why and how is the data used?
- 1.7. 7. Who in your organization accesses the data? Is data access tiered?
- 1.8. 8. What legal framework is employed in your data processing method?
- 1.9. 9. How easy is it for users to withdraw consent they've given?
- 1.10. 10. Is consent granular? Can visitors opt-in to some data processing but out of others?
- 1.11. 11. How long do you store data?
- 1.12. 12. Do you have a data elimination process?
- 1.13. 13. How do you handle data subject access rights?
- 1.14. 14. Who is your data protection officer? Are you legally obligated to have one?
- 1.15. 15. How do you detect breaches and what is your data breach reporting procedure?
- 1.16. 16. Are your staff trained to meet the challenges the GDPR involves?
Is your business GDPR-compliant?
GDPR regulations are sweeping and complicated, and there is little guidance provided by the law itself for what you need to do. Consider the fact that every business comes with different data processing needs and requirements and you might find yourself overwhelmed and lost with this European law.
No GDPR checklist issued by the European Commission or anyone else can meet all of every business's needs. The EU has yet to release any official checklist or guide. Some step-by-step guides work well for some businesses but leave others hopelessly lost.
Why? Because despite its vast complexity and legislative scope, the GDPR is intentionally vague.
Your best bet for compliance is to complete a full GDPR audit of your own business.
While it may be long and painful, it's far cheaper and less exasperating than losing access to the European market and receiving a fine for violating GDPR data standards.
Rather than provide you a guaranteed fix to your data policy for compliance, we've put together a list of questions to help you see your strengths and weaknesses and to patch any relevant holes in your online business' GDPR compliance.
TermsFeed is the world's leading generator of legal agreements for websites and apps. With TermsFeed, you can generate:
16 Questions to Ask
1. Are you a data controller or data processor?
You need to be familiar with both of these roles. A data controller determines why and how the company processes personal data. A data processor takes the personal data on behalf of the controller and processes it according to instructions from the data controller.
For example, if you're the data controller working with payroll, you'll tell the payroll company when you pay wages, when employees wages change, and provide the personal data for generating payslips.
The payroll company is then the payroll processor because they're following your orders and handling the data directly.
Each role comes with different legal requirements and responsibilities.
It's possible for a business to take on both roles.
Ask yourself if you process data in-house or by using a third-party. If you do processing in-house, you're both the controller and the processor.
Third party service providers must be disclosed, but you don't need to explicitly name the services.
Understanding your role here will help you make sure you're fulfilling all required responsibilities.
2. What personally identifiable information do you collect?
The GDPR requires you to list all the different types of information you collect, whether directly or through a third party.
Here's an example of a data collection clause from Refinery29:
Make sure to disclose any types of personal information you collect. This type of information is anything that can be used to identify an individual, such as a name, email address, financial information, social media handles and much, much more.
3. Do you collect more data than you need for your core function?
The GDPR exists in part because of what the EU perceives as the mismanagement of data by companies around the world. Collecting more data than required falls close to mismanagement.
Under the GDPR, each piece of data collected must serve a purpose and have a legal basis.
If you can't relate a type of data to a function, the law says you shouldn't collect it.
Nordstrom collects a vast amount of personal data:
Be honest about what types of data you collect and for exactly what purpose and what legal basis.
4. Do you collect the data of persons under 18 years old?
The EU affords children under 16 years old special rights under Article 8 of the GDPR:
"Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility to the child."
- That you collect data of minors
- What measures you take to avoid collecting that data without parental consent
- What differences exist in the processing of this data
Pinterest takes a similar approach:
Even if you don't knowingly have children using your online service, include a similar clause as the above to help limit your legal liability in the event children do use your service without your knowledge.
5. What methods of data collection do you use?
Do you get personal data from the source (directly from users) or receive it through a third party agreement?
Each of these describes how the user serves as the company's primary source of data.
Do you receive data from outside sources? Here's how Pinterest discloses its use of information from third parties:
How do you get the data you collect from users? Is it from email sign-ups? Do you collect data about user behavior on your site through cookies?
Conde Nast breaks down how it collects information through online identifiers and behavioral data:
6. Why and how is the data used?
Why are you collecting data in the first place? What's your data ethos? Are you collecting data for marketing purposes? Is data collection essential to providing your services?
Nordstrom has a use for the data it collects and discloses this clearly in its Policy:
Do you share the data with any third parties?
Many businesses share their data with a whole host of internal and external agencies.
Write down every recipient of personal data. Why do they receive the data? By what mechanism is it shared? Does every third party agree to operate according to your privacy standards?
The GDPR places the liability on your shoulders when third parties misbehave.
7. Who in your organization accesses the data? Is data access tiered?
The GDPR requires businesses to prevent unauthorized access to data. To do so, you need to know who has access to the data.
Create a list of everyone in your organization with access to the personal data you collect about users.
Is some data only available to certain parties? Is there data available to every team member?
Part of preventing unauthorized access requires you to know who is accessing data and when. Real data access monitoring allows you to recognize a data breach and engage in the proper notification processes as per the law.
Do you have a system that logs access? For example, if you're using SAP security, you might use the EAS-SEC SAP Cybersecurity framework to monitor activities.
8. What legal framework is employed in your data processing method?
The GDPR requires a legal basis for the processing of data.
There are six lawful bases used for data processing:
- Legal obligation
- Legitimate interests
- Public task
- Vital interests
Spotify provides a chart to highlight what data is used, why the data is used and the legal basis for the processing purpose:
You'll see that account registration data and service usage data is used "to provide, personalize, and improve your experience with the Spotify Service and other services and products provided by Spotify." Its legal justification for collecting and processing the data this way falls under both "Legitimate Interest" and "Performance of a Contract."
9. How easy is it for users to withdraw consent they've given?
When you think of consent within the context of the GDPR, it's important to think of it as more than a single action. It's a relationship between you and your customer that keeps them informed of your processes. The relationship also allows them to opt-out when giving you their data no longer suits them.
Remember, the GDPR requires consent to be as easy to rescind as it is to give. So, don't hide those functions away.
What do visitors need to do to withdraw their consent? Do they need to send an email? Fill out a form? Update privacy settings within their account?
From this form, users can request to have their personal information updated, ported, accessed, deleted and exert other rights granted by the GDPR:
10. Is consent granular? Can visitors opt-in to some data processing but out of others?
The GDPR promotes something called granular consent.
Jetsetter does a great job of creating granular consent within its email marketing campaigns:
Subscribers have the option to control what emails they get and when they get them. Unsubscribing from all emails is also easy.
Make sure your consent request forms are up to standards, and that you allow easy opt-outs.
11. How long do you store data?
The GDPR doesn't fundamentally change the amount of time you're allowed to store data as long as that data remains useful to you and adequately protected. Once the data is no longer needed for uses, it's best practice to delete data.
Identify the current amount of time data remains on your servers. You should already have a process featuring a precise calendar date, ex. 3 years.
12. Do you have a data elimination process?
Are you deleting data when you say you will, or is it sitting there months and years after it's no longer useful?
Outline your data elimination process for data collected directly and review data elimination processes among third parties you use that also collect data.
Do you have a process in place that allows you to meet your obligations when someone expresses their right to be forgotten?
Ensure you have a policy dedicated to data erasure requests within your data elimination process.
13. How do you handle data subject access rights?
EU citizens now have more rights to access their data than even before. Are you prepared to facilitate them?
14. Who is your data protection officer? Are you legally obligated to have one?
Do you need a Data Protection Officer?
If you're a public authority, then yes. Additionally, if data processing operations are among your core activities, then you need a Data Protection Officer. Finally, if you deal with special data categories like health data or biometrics, then you need to appoint an officer.
The role is a cornerstone of GDPR legislation because it's concerned with accountability. By nominating an individual to remain in charge of the processes, you're putting forward a person who will hold your organization accountable.
Make sure you know whether or not you're required to have one, and if you are, hire one.
15. How do you detect breaches and what is your data breach reporting procedure?
Do you have an alert system in place when breaches are detected? Who does it alert? When does it alert them? Can the system be accessed from outside the premises, or does the alertee need to go to the office to log in onsite?
Don't forget to highlight a chain of command for data breach reporting including who holds the responsibility of reporting the breach to affected parties, stakeholders, and EU bodies.
16. Are your staff trained to meet the challenges the GDPR involves?
After you have GDPR procedures in place, make sure everyone at your business is aware of the changes and how their individual roles and responsibilities will be affected.
The GDPR encourages businesses to be proactive about the way they collect, process, and store data. It's at the heart of a wider legacy to protect citizens from data misuse and breaches.
While it may be inconvenient for businesses who aren't yet compliant, it ultimately presents an opportunity to build better systems, trust, and transparency - each of which offers value to your business and your customers.