GDPR Preparation Planning Checklist

GDPR Preparation Planning Checklist

For many businesses, few laws have had such a significant impact as the EU General Data Protection Regulation (GDPR). Not only is the effect of this important privacy law noticeable online (you'll most likely have been asked to consent to a lot of activity recently), its broad and international scope has also meant that it has touched a wide variety of companies.

It's essential that you understand the GDPR, and consider how it applies in your situation. As a result of their new-found obligations, many people have learned a lot about the basic principles of data protection. Once you have that theoretical understanding, you're ready to start preparing your company for ongoing GDPR-compliance.

Let's look at the practical steps you can take to adjust your systems and practices in accordance with the new privacy regime.


Why the GDPR Matters

Any company hoping to enter the EU marketplace needs to treat the privacy of its residents with respect. The EU's data protection laws have been rigorous for many years. But the passing of the GDPR is significant for three main reasons:

  1. It introduces higher privacy standards and new responsibilities
  2. It increases accountability and threatens a new range of fines and other sanctions
  3. It explicitly applies to non-EU businesses, as long as they offer goods or services to, or monitor the behavior of, people in the EU

Many business owners panicked when they first received the 50,000-word rulebook that is the GDPR. Many others, however, decided to make the most of this opportunity to reflect on their data protection practices.

The world is changing, and lawmakers everywhere are determined to reign in data processing practices. Choosing to prepare your systems and processes so that you can comply with the strict privacy standards of the EU simply makes good business sense.

Some Basic GDPR Terms

Some Basic GDPR Terms

This article is about the practical stuff - what you need to do in your business to get on board with the GDPR, and how to go about doing it. But in case you're not familiar with GDPR jargon, here are some important terms you need to understand:

  • Personal data - any information that can be linked to an "identifiable person." The most obvious example of personal data is a person's name. Some more obscure examples include their Internet Protocol (IP address) and the data collected by cookies.
  • Data controller - anyone (including a business, charity, or individual) who decides what, how and why personal data is processed. This could mean something as innocuous as collecting a list of email addresses and responses as part of an online marketing survey.
  • Data processor - anyone who processes data on a data controller's behalf. This could be a person who receives this survey data and writes it up into a report. They didn't decide how or why to carry out the survey or write the report, but they're still processing personal data.

Most of the responsibilities imposed by the GDPR fall on data controllers. However to put this in context the GDPR imposes important responsibilities on data processors, too. And it's important to note that most data processors also act as data controllers in some respects.

Processing Personal Data Securely

Processing Personal Data Securely

The GDPR requires you to take technical measures to ensure the security of personal data.

Consider all the different ways in which you work with personal data, and how you might implement practical security measures in relation to each one.

Here are some suggested measures you might take. The European Data Protection Supervisor provides detailed guidance.

Access security
  • Ensure that staff are not using common or shared accounts to access personal data
  • Restrict access to staff members with particular privileges
  • Create and distribute an access control policy
  • Only allow strong passwords
  • Monitor access to personal data
Storage security
  • Separate indirect identifiers (such as IP addresses) and direct identifiers (such as names) to minimize risk
  • Ensure servers storing personal data are run using minimal user rights
  • Put up secure firewalls to protect personal data stored on servers
Network security
  • Use cryptographic protocols (TLS/SSL) to facilitate internet access to personal data
  • Only allow remote IT system access on specific devices under strict monitoring (it at all)
  • Monitor all network access (e.g. via firewall)
Third-party security
  • Compile a list of all data processors (or subprocessors)
  • Seek out their policies and check that they are GDPR-compliant
  • Stop working with non-GDPR-compliant data processors

Collecting Personal Data Lawfully

Collecting Personal Data Lawfully

It sometimes takes people a little while to understand the concept of lawful bases. Some people approach the GDPR on the assumption that they will need to get consent for all data processing. In fact, this isn't necessary or appropriate in all cases.

If you haven't yet determined your lawful bases for processing personal data, you should take a step back and do this before reading this section. There's some information about this in our GDPR Readiness Checklist article.

Simply knowing that you have a lawful basis for each act of data processing you undertake isn't all you have to do, however. You also need to ensure you are collecting and processing personal data in a lawful way.

Establishing Your Legitimate Interests

It's likely that you'll be relying on your legitimate business interests for collecting personal data in certain ways. For example, you may believe that, under certain conditions, you have a legitimate interest in collecting the IP addresses of visitors to your site.

You won't know for sure until you've conducted a Legitimate Interests Assessment. This is a legal requirement for any company that is hoping to rely on this lawful basis. Carrying out this assessment on recording the results is an important part of your GDPR preparation.

The Information Commissioner's Office suggests that the Legitimate Interests Assessment can comprise main three parts - purpose, necessity and balancing.

Here are some of the questions you'll need to answer in connection with each of these parts:

Test Questions Answers
The Purpose Test
  • What are you trying to achieve?
  • Who will benefit?
  • Is this purpose ethical?
  • Have you determined that your processing activity complies with other laws?
The Necessity Test
  • How will this processing activity help you achieve your aims?
  • What would happen if you didn't carry out this processing?
  • Do you need to process personal data to this extent, or in this particular way?
The Balancing Test
  • Is this particularly sensitive ("special category") personal data?
  • Do you have any existing business relationship with the data subjects?
  • Are you being sufficiently transparent about the processing activity?
  • Is this data processing method risky or novel in some way?
  • Are people likely to be surprised or unhappy that you have processed their personal data in this way?
  • What might be the impact of a data breach?
  • What safeguards have you adopted?

There's no clear set of "correct" answers. This assessment is a chance for you to demonstrate that you have carefully considered the risks and implications associated with relying on legitimate interests as your lawful basis. You should keep a record of it as well.

There are a lot of companies that are not getting consent in a lawfully-compliant way. This includes Google, which was fined €50 million in early 2019 for gathering users' consent in a non-GDPR-compliant way (at the time of writing Google is planning to appeal).

Earning lawful consent under the GDPR is actually not an easy task. You'll need consent for a lot of online business activity. And wherever you're asking for consent, you need to ensure that it's:

  1. Freely given
  2. Specific
  3. Informed
  4. Unambiguous
  5. Clear and affirmative

In practical terms, GDPR compliance in this area means implementing effective front-end consent solutions for activities like setting cookies and collecting personal data for marketing purposes.

A GDPR-compliant cookie solution does not look a lot like this example, from the The Washington Post:

Washington Post Subscribe options with pre-checked consen

The Washington Post clearly needs to raise revenue, and personalized ads appear to be an important part of its business model. However, let's consider this example against some of the necessary components of GDPR consent listed above:

  • Freely given: The alternative to providing personal data is paying a subscription or not accessing the service - this is not really a free choice.
  • Specific: Consent to first- and third-party tracking is "bundled" together - consent is not "specific" to either.

Under the GDPR, you shouldn't ask for consent unless you really mean it. Personal data processing shouldn't be presented as a "payment option."

Here's an example from the University of Edinburgh:

University of Edinburgh Cookies Consent notice

This cookie consent solution has some issues, too, in relation to different factors:

  • Unambiguous: It isn't clear that anyone who is subject to this act of data processing has truly consented to it - this is ambiguous.
  • Clear affirmative action: The user is supposedly consenting by continuing to browse the site - this isn't affirmative.

Here's a better example from the University of Brighton.

University of Brighton Cookies Consent notice

This is potentially problematic, because an obvious option of rejecting consent is not presented to the user. However, this is not an issue as long as you don't assume consent, or deny access to your services until the user has consented.

Here's what happens when the user clicks "Cookie Settings":

University of Brighton Cookies Consent notice Settings screen

Overall, this solution appears to satisfy all these elements:

  • Freely given - There is no detriment to refusing consent.
  • Specific - Each type of non-essential cookie requires specific consent.
  • Informed - The purpose of each cookie is explained.
  • Unambiguous - Certain cookies such as targeting cookies are "off" by default. They are not turned on until the user has consented.
  • Clear affirmative action - The user must click "I accept" to turn on cookies.

Minimizing Data Collection

Minimizing Data Collection

One of the key principles set out at Article 5 of the GDPR is data minimization. Don't collect any personal data you don't need. This is a relatively easy principle to implement, and it will save you work and reduce risk in the long term.

Web Forms

One simple way to collect less personal data from your users is simply not to ask for it. Take a look at this web form from Caribbean Smokehouse:

Caribbean Smokehouse Sign-up and Register form with dat of birth highlighted

Is a person's date of birth really required when they are signing up for a newsletter? Is collecting a person's name even really necessary? In theory, this is possible, but it seems unlikely. And if you really do need this data, your purposes for requesting it should be explained to the individual.

Purge your web forms of any unnecessary personal data requests.

Analytics

If you run <
strong>analytics on your website, make sure you're not collecting unnecessary personal data in this way. You should turn off analytics on pages where it is not required. You should be anonymizing IP addresses by default.

Google Analytics provides some guidance on disabling analytics on specific properties:

Google Analytics Developer Guide: Disable tracking instructions

Google also provides the following guidance on anonymizing IP addresses:

Google Analytics Developer Guide: Anonymize IP addresses instructions

Analytics suite Matomo allows users to select different degrees of anonymization:

Matomo Configure Privacy Settings: Anonymize analytics options

Also, note that under the ePrivacy Directive (another EU privacy law), consent is required for most analytics activities.

Providing Transparent Information

Providing Transparent Information

Having created or updated your Privacy Policy, you're one step closer to GDPR-compliance. But there's no point having a Privacy Policy if it's not made accessible to anyone who wants to read it.

The GDPR specifically requires that particular information is made available when you collect personal data from a person (Article 13) and when you receive personal data about a person (Article 14). You should treat this as a requirement to present your Privacy Policy at every appropriate opportunity.

On Your Website

Make your Privacy Policy available via a link in a persistent header or footer on your website. Here's an example from Co-op:

Co-op website footer with Privacy Policy link highlighted

You should also present your Privacy Policy whenever you are collecting personal data. Let's look at an example from the European Tour Operator Association (ETOA).

ETOA contact form with clickwrap checkbox

Note that the ETOA also asks users to tick a box confirming that they have read the Privacy Policy and are giving consent to have their personal information used for contact purposes.

On Your Mobile App

If you have a mobile app, make sure your Privacy Policy is easily accessible from within the app.

The Amazon Kindle app provides access to its Privacy Notice via its "Other" menu, which is easily accessible via the "Setting" tab on the app's main screen:

Amazon Kindle app with Privacy Notice link

This link leads to a web page that hosts Amazon's Privacy Policy.

In Emails

It's always a good idea to include a link to your Privacy Policy in any automated emails you send out. This is particularly important if the email relates to direct marketing or requests personal data.

Here's how Ancestry DNA does this:

Ancestry DNA email footer with Privacy Statement highlighted

Recording Data Processing Activities

Recording Data Processing Activities

Article 30 of the GDPR requires certain organizations to keep records of their data processing activities.

Before you worry about this requirement, you should make sure it applies to your business. The record-keeping obligation does not arise for companies that:

  • Have fewer than 250 employees; and,
  • Only process personal data occasionally; and,
  • Don't process personal data in such a way that is likely to significantly impact on people's privacy (including by processing sensitive "special category" data).

If you're a data controller, complying with Article 30 means maintaining an up-to-date record of:

  • Your contact details, and the contact details of your Data Protection Officer and EU Representative (if you have either)
  • The reasons that you're processing personal data
  • The types of people whose personal data you're processing
  • The types of personal data you're processing
  • The types of organization with whom you might share personal data
  • Any arrangements you have in place to allow you to lawfully transfer data out of the EU
  • The storage limits you have in place (i.e. the length of time for which you retain different types of personal data)
  • The data security measures you've put in place

Think of this as a way you can demonstrate some of the steps you've taken to prepare for the GDPR. You may be called upon to provide it to a Data Protection Authority.

Summary

Here are some of the practical steps you'll need to take to prepare your business for GDPR compliance:

  • Implement technical measures to ensure you are processing personal data securely
  • Conduct a Legitimate Interests Assessment
  • Update your consent request mechanisms to ensure they comply with the GDPR
  • Update your web forms and analytics settings to ensure you are only collecting the minimum personal data necessary
  • Ensure that your Privacy Policy is easily accessible on your website and presented to your users whenever you collect personal data
  • Begin the process of maintaining data processing records, if you're required to do so