Is your business GDPR-compliant?

GDPR regulations are sweeping and complicated, and there is little guidance provided by the law itself for what you need to do. Consider the fact that every business comes with different data processing needs and requirements and you might find yourself overwhelmed and lost with this European law.

No GDPR checklist issued by the European Commission or anyone else can meet all of every business's needs. The EU has yet to release any official checklist or guide. Some step-by-step guides work well for some businesses but leave others hopelessly lost.

Why? Because despite its vast complexity and legislative scope, the GDPR is intentionally vague.

Your best bet for compliance is to complete a full GDPR audit of your own business.

While it may be long and painful, it's far cheaper and less exasperating than losing access to the European market and receiving a fine for violating GDPR data standards.

Rather than provide you a guaranteed fix to your data policy for compliance, we've put together a list of questions to help you see your strengths and weaknesses and to patch any relevant holes in your online business' GDPR compliance.

16 Questions to Ask

1. Are you a data controller or data processor?

You need to be familiar with both of these roles. A data controller determines why and how the company processes personal data. A data processor takes the personal data on behalf of the controller and processes it according to instructions from the data controller.

For example, if you're the data controller working with payroll, you'll tell the payroll company when you pay wages, when employees wages change, and provide the personal data for generating payslips.

The payroll company is then the payroll processor because they're following your orders and handling the data directly.

Each role comes with different legal requirements and responsibilities.

It's possible for a business to take on both roles.

Ask yourself if you process data in-house or by using a third-party. If you do processing in-house, you're both the controller and the processor.

In most cases, data processors are a third party. Hiring a third party isn't forbidden under the new law. However, you have to disclose third-party processing in your Privacy Policy because the data is leaving your premises for somewhere else.

Third party service providers must be disclosed, but you don't need to explicitly name the services.

Here's how Conde Nast International includes information about third party data processors in its Privacy Policy:

Conde Nast International Privacy Policy: Do we share your information with anyone else - Service providers clause

Conde Nast International declares its partnerships with service providers to perform tasks on its behalf. It also notes that all third party service providers adhere to the same obligations of Conde Nast's Privacy Policy.

Pipedrive includes a clause in its Privacy Policy that's specifically dedicated to outlining the controller and processor distinction in relation to the company:

Pipedrive Privacy Policy: Data Controller and Data Processor clause

Understanding your role here will help you make sure you're fulfilling all required responsibilities.

2. What personally identifiable information do you collect?

The GDPR requires you to list all the different types of information you collect, whether directly or through a third party.

You can do this in your Privacy Policy.

Here's an example of a data collection clause from Refinery29:

Refinery29 Privacy Policy: Excerpt of Collection of Information clause

Make sure to disclose any types of personal information you collect. This type of information is anything that can be used to identify an individual, such as a name, email address, financial information, social media handles and much, much more.

3. Do you collect more data than you need for your core function?

The GDPR exists in part because of what the EU perceives as the mismanagement of data by companies around the world. Collecting more data than required falls close to mismanagement.

Under the GDPR, each piece of data collected must serve a purpose and have a legal basis.

If you can't relate a type of data to a function, the law says you shouldn't collect it.

Nordstrom collects a vast amount of personal data:

Nordstrom Privacy Policy: What Information We Collect clause

Be honest about what types of data you collect and for exactly what purpose and what legal basis.

4. Do you collect the data of persons under 18 years old?

The EU affords children under 16 years old special rights under Article 8 of the GDPR:

"Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility to the child."

If your business is aimed towards children or you know for a fact that you have children as users, you need to include the following information in your Privacy Policy:

  • That you collect data of minors
  • What measures you take to avoid collecting that data without parental consent
  • What differences exist in the processing of this data

Here's how payment provider Stripe includes a clause in its Privacy Policy to request that no one under 13 provide their data:

Stripe Privacy Policy: Use by Minors clause

Pinterest takes a similar approach:

Pinterest Privacy Policy: Children's information clause

Even if you don't knowingly have children using your online service, include a similar clause as the above to help limit your legal liability in the event children do use your service without your knowledge.

5. What methods of data collection do you use?

Do you get personal data from the source (directly from users) or receive it through a third party agreement?

Your data collection processes should be outlined in your Privacy Policy. Here's how Conde Nast International describes data sources in its Privacy Policy:

Conde Nast International Privacy Policy: What personal information do we collect from you clause

Each of these describes how the user serves as the company's primary source of data.

Do you receive data from outside sources? Here's how Pinterest discloses its use of information from third parties:

Pinterest Privacy Policy: Our partners and advertisers share information with us clause

How do you get the data you collect from users? Is it from email sign-ups? Do you collect data about user behavior on your site through cookies?

Conde Nast breaks down how it collects information through online identifiers and behavioral data:

Conde Nast International Privacy Policy: Online identifiers and Behavioural data clauses

6. Why and how is the data used?

Why are you collecting data in the first place? What's your data ethos? Are you collecting data for marketing purposes? Is data collection essential to providing your services?

You'll need to outline why you collect data and how it's used in your Privacy Policy.

Nordstrom has a use for the data it collects and discloses this clearly in its Policy:

Nordstrom Privacy Policy: How We Use Information clause

Do you share the data with any third parties?

Many businesses share their data with a whole host of internal and external agencies.

Write down every recipient of personal data. Why do they receive the data? By what mechanism is it shared? Does every third party agree to operate according to your privacy standards?

The GDPR places the liability on your shoulders when third parties misbehave.

7. Who in your organization accesses the data? Is data access tiered?

The GDPR requires businesses to prevent unauthorized access to data. To do so, you need to know who has access to the data.

Create a list of everyone in your organization with access to the personal data you collect about users.

Is some data only available to certain parties? Is there data available to every team member?

Part of preventing unauthorized access requires you to know who is accessing data and when. Real data access monitoring allows you to recognize a data breach and engage in the proper notification processes as per the law.

Do you have a system that logs access? For example, if you're using SAP security, you might use the EAS-SEC SAP Cybersecurity framework to monitor activities.

The GDPR requires a legal basis for the processing of data.

There are six lawful bases used for data processing:

  • Consent
  • Contract
  • Legal obligation
  • Legitimate interests
  • Public task
  • Vital interests

Spotify provides a chart to highlight what data is used, why the data is used and the legal basis for the processing purpose:

Spotify Privacy Policy: Processing purpose and legal basis chart

You'll see that account registration data and service usage data is used "to provide, personalize, and improve your experience with the Spotify Service and other services and products provided by Spotify." Its legal justification for collecting and processing the data this way falls under both "Legitimate Interest" and "Performance of a Contract."

When you think of consent within the context of the GDPR, it's important to think of it as more than a single action. It's a relationship between you and your customer that keeps them informed of your processes. The relationship also allows them to opt-out when giving you their data no longer suits them.

Remember, the GDPR requires consent to be as easy to rescind as it is to give. So, don't hide those functions away.

What do visitors need to do to withdraw their consent? Do they need to send an email? Fill out a form? Update privacy settings within their account?

How easy is it for people to find out how to withdraw their consent? Is it display it clearly in your Privacy Policy? Do you include a tab for the withdrawal of consent on users' profiles? Do you let users know they can revoke consent at the moment you request their consent?

In its Privacy Policy, The New York Times provides a link to a Data Subject Request form:

The New York Times Privacy Policy: How do I Access, Change or Update my Personal Information clause

From this form, users can request to have their personal information updated, ported, accessed, deleted and exert other rights granted by the GDPR:

The New York Times: Excerpt of Data Subject Request form for GDPR

The GDPR promotes something called granular consent.

Rather than bundling your Terms of Service, Cookie Policy, third party sharing actions and anything else into a single consent request form, visitors should be able to opt in or out of each policy, communication method and permission request individually..

Jetsetter does a great job of creating granular consent within its email marketing campaigns:

Jetsetter email preferences page with granular options for unsubscribing

Subscribers have the option to control what emails they get and when they get them. Unsubscribing from all emails is also easy.

Make sure your consent request forms are up to standards, and that you allow easy opt-outs.

11. How long do you store data?

The GDPR doesn't fundamentally change the amount of time you're allowed to store data as long as that data remains useful to you and adequately protected. Once the data is no longer needed for uses, it's best practice to delete data.

Identify the current amount of time data remains on your servers. You should already have a process featuring a precise calendar date, ex. 3 years.

12. Do you have a data elimination process?

Are you deleting data when you say you will, or is it sitting there months and years after it's no longer useful?

Outline your data elimination process for data collected directly and review data elimination processes among third parties you use that also collect data.

Do you have a process in place that allows you to meet your obligations when someone expresses their right to be forgotten?

Ensure you have a policy dedicated to data erasure requests within your data elimination process.

13. How do you handle data subject access rights?

EU citizens now have more rights to access their data than even before. Are you prepared to facilitate them?

You need to include these rights in your Privacy Policy, and also have methods in place to respond to any rights requests from your users. Learn these rights, list them in your Policy and implement business practices to honor them.

14. Who is your data protection officer? Are you legally obligated to have one?

Do you need a Data Protection Officer?

If you're a public authority, then yes. Additionally, if data processing operations are among your core activities, then you need a Data Protection Officer. Finally, if you deal with special data categories like health data or biometrics, then you need to appoint an officer.

The role is a cornerstone of GDPR legislation because it's concerned with accountability. By nominating an individual to remain in charge of the processes, you're putting forward a person who will hold your organization accountable.

Make sure you know whether or not you're required to have one, and if you are, hire one.

15. How do you detect breaches and what is your data breach reporting procedure?

Do you have an alert system in place when breaches are detected? Who does it alert? When does it alert them? Can the system be accessed from outside the premises, or does the alertee need to go to the office to log in onsite?

Don't forget to highlight a chain of command for data breach reporting including who holds the responsibility of reporting the breach to affected parties, stakeholders, and EU bodies.

16. Are your staff trained to meet the challenges the GDPR involves?

After you have GDPR procedures in place, make sure everyone at your business is aware of the changes and how their individual roles and responsibilities will be affected.

The GDPR encourages businesses to be proactive about the way they collect, process, and store data. It's at the heart of a wider legacy to protect citizens from data misuse and breaches.

While it may be inconvenient for businesses who aren't yet compliant, it ultimately presents an opportunity to build better systems, trust, and transparency - each of which offers value to your business and your customers.