What Does it Mean to be GDPR Compliant?
No doubt by now you have heard of the GDPR, but what does it actually mean to be GDPR compliant?
To be GDPR compliant a company or organization which collects, uses and stores personal data from their users must adhere to a set of rules to keep that data safe and secure while offering their users more control over accessing their data and how understanding how their data is used.
On this page
What does GDPR stand for?
GDPR stands for General Data Protection Regulation.
What is the GDPR?
The GDPR is a set of regulations set to protect the rights of EU residents and citizens and their personal data. It came into effect on 25th May 2018.
With so many aspects of our lives online nowadays, these new laws have been put into place to help protect the personal data that is collected when we use most websites. These include banking, retailers and social media sites, just to mention a few.
So what is personal data?
Personal data is any information that is related to an identifiable natural person, also known as the “data subject”. An “identifiable natural person” is a person who can be identified either directly or indirectly by reference to an identifier. Examples of identifiers are : name, identification number, or an online identifier such as physical, genetic, cultural, economic or social identity of that natural person.
If my business is outside of the EU do I need to be compliant with GDPR?
In short, yes. If your company offers any goods or services to people in the EU, you will be collecting some form of personal data from them. You are therefore required to be GDPR compliant.
What does it mean to be GDPR compliant?
Any company or organization that collects, maintains and uses peoples personal data has a set of rules that they must adhere to in order to comply with the GDPR.
In order to ensure you are GDPR compliant this checklist will help:
- Complete an audit so you can determine what personal information you collect and how you use and maintain this personal data.
- Ensure you satisfy the requirements for “Lawfulness of Processing” of personal data.
- Encrypt or anonymize personal data wherever possible.
- Create a Data Protection Policy for your company and ensure all staff are aware of their role in the security of personal data collected.
- Have a process in place for a data breach. This can be included in your Data Protection Policy.
- Appoint a Data Protection Officer if required.
- Ensure your customers/users are aware of their data privacy rights
Personal Information audit
Determine what personal information your company collects and whether you collect any information from residents or citizens of the EU. If you do process such information then check out Recital 23 to determine whether you are subject to GDPR.
Lawfulness of Processing
Under the GDPR regulations, personal data processing is lawful if one or more of the following conditions are met:
- Your user has consented to his/her personal data being processed for a specific purpose or purposes.
- processing the users personal data is required in order to fulfill a contract with the user.
- processing the personal data is necessary for legal obligation.
- processing of personal data is needed in order to protect your users interests or the interests of another natural born person.
- processing the data is necessary in order to carry out a task in the public interest or in the official authority of the controller.
- processing is deemed necessary for legitimate purposes of the data controller or third party unless the interests of the data subject override those purposes. This is especially important if the data subject is a child.
The Policy should include the following information:
- your purpose for processing personal data
- the length of time that personal data is retained
- who personal data is shared with, if any other party
- contact details for the company and the data protection officer if you have one
- a list of data protection rights
- the right for your user to withdraw consent at any time
- the right for your user to lodge a complaint with a supervisory authority if required
- if you have an automated decision making system implemented, then details about how the system is set up and what the consequences of this system are.
Encrypting Personal Data
Wherever possible encrypting personal data will help to keep it safe and private. Encryption is the process of scrambling data so it can only be read by the person who knows the code or encryption key.
There are a few types of encryption and one of the most common is SSL, or “secure sockets layer”. This is a form of encryption that most legitimate websites use. To see if a website uses this form of encryption look for the lock symbol in the URL bar and an S in https://. Other forms of encryption include AES (Advanced Encryption Standard), RSA and triple DES.
Data Protection Policy
Create a Data Protection Policy for your company. A Data Protection Policy outlines how your company uses, manages, stores and secures their data. It is an internal policy for the handling of personal data so that your employees are educated on and can implement the best practices. For more information on Data protection Policies and what to include read “What is a Data Protection Policy”.
Data Breach Process
In the event of a data breach, the relevant authorities must be advised within 72 hours unless the breach is unlikely to cause harm to the rights of a natural person. For more information on the supervisory authorities refer to Article 33 GDPR. Ensure you have a data breach protocol in place and if you have a Data Protection Policy then this is a good place to have it explained.
Appoint a Data Protection Officer
A Data protection Officer is not always required however if you meet one of the following criteria, then your company will need to hire one.
- Public authority — The processing of personal data is done by a public body or public authorities, with exemptions granted to courts and other independent judicial authorities.
- Large scale, regular monitoring — The processing of personal data is the core activity of an organization who regularly and systematically observes its “data subjects” (which, under the GDPR, means citizens or residents of the EU) on a large scale.
- Large-scale special data categories — The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.
Even if your company doesn’t require a Data Protection officer it will require somebody to ensure that you are GDPR compliant.
Ensure Users are Aware of Their Data Privacy Rights
One of the key aspects of the GDPR is ensuring the privacy of personal data and empowering data subjects (who are your customers and users), with knowledge about their data privacy rights. The data privacy rights are as follows:
- the right to information: the data subject has the right to find out if your company is processing their personal data and if so, what type of data your company is processing and the reason for this processing.
- the right to access: the data subject has the right to access the personal data your company is processing, which means they can request copies of their personal data.
- the right to rectification: the data subject has the right to request immediate changes to their personal data if they believe it is inaccurate or out of date.
- the right to withdraw consent: the data subject has the right to withdraw their consent at any time for the processing of their personal data.
- the right to object: this right means that the data subject can request at any time that their personal data stop being processed and unless the data processor can show that there are overriding legitimate grounds for the processing then it must cease. Where the data processing is being used for direct marketing purposes then the processing must be stopped immediately.
- the right to be forgotten: also known as the right to erasure, this right means that the data subject is able to request that all of their personal information be erased. There are a number of grounds for granting this right and for further information refer to Article 17 GDPR.
- the right for data portability: the data subject can request his/her personal data and it must be given in a format which is “structured, commonly used and machine readable”. They then have the right to transfer this data to another data controller if they choose. Where possible the data subject can request that their personal data is transferred directly from one data processor to another.