On May 25, 2018, the EU's General Data Protection Regulation (GDPR) came into effect. The GDPR empowers people by giving them new rights for accessing and controlling their own data on the internet. This effectively makes the GDPR the primary law for regulating the manner in which companies protect the personal data of people located in the EU citizens.
At first glance, it might appear that the GDPR applies only to companies in the EU. However, almost all companies marketing goods or services to people in the EU come under the scope of the GDPR, regardless of the company's location. Not surprisingly, hours after the GDPR came into effect, some high-profile US news websites became temporarily unavailable in Europe.
If you offer products or services to customers in the EU, you will need to comply with the GDPR to continue doing so. This will involve going through this GDPR Readiness Checklist and the GDPR Preparation Planning checklist and taking the measures necessary for complying with the GDPR.
- 1. The Importance of the GDPR and Who it Applies to
- 2. How the GDPR Readiness Checklist Differs From the GDPR Preparation Checklist
- 3. Audit and Identify All Types Of Personal Information You Collect
- 4. Do You Have Legitimate and Lawful Grounds For Processing Personal Data?
- 5. Map Out All The Ways You Store, Process and Share Personal Data
- 6. Address the Rights Users Have Over Their Personal Data
- 6.1. The Right to Access Personal Data
- 6.2. The Right to Data Portability
- 6.3. The Right to be Informed or Notified
- 6.4. The Right to Amend or Correct Personal Information
- 6.5. The Right to Restriction
- 6.6. The Right to Request Deletion of Data (The Right to be Forgotten)
- 7. Put Data Security Measures in Place
- 8. How Do You Deal With Data Breaches?
- 9. Do You Need to Carry Out a Data Protection Impact Assessment (DPIA)?
- 10. Will You Need to Hire A Data Protection Officer (DPO)?
- 11. Do You Have a Data Processing Agreement in Place?
- 14. In Conclusion
The Importance of the GDPR and Who it Applies to
Successful businesses focus on increasing their customer bases. Therefore, if you want access to customers within the EU, you will need to comply with the GDPR's privacy laws. These laws apply to companies offering products or services to consumers in the EU. They also apply to organizations that monitor the behavior of EU citizens.
Where your business itself is located is irrelevant here. What matters is if your customers are located in the EU.
The GDPR comprises a tiered penalty structure. Serious infringements, such as the violation of basic principles of data protection, could warrant a fine of up to four percent of a company's global revenue. Similarly, lesser infringements could attract a fine of up to two percent of the company's global revenue.
How the GDPR Readiness Checklist Differs From the GDPR Preparation Checklist
Complying with the GDPR can be a three-stage process involving:
- Readiness: The first stage where you understand the scope of the regulation and of how it applies to your business
- Preparation: The second stage where you make the necessary amendments to your business practices and,
- Ongoing Compliance: The final stage where your day-to-day business operations adhere to the principles specified in the GDPR
This GDPR Readiness Checklist can be a useful resource for understanding the provisions specified in the GDPR. Reading and understanding these provisions could help you chalk out your progress path toward GDPR compliance.
In contrast, the GDPR Preparation Checklist involves taking various steps that will make your business GDPR compliant.
Audit and Identify All Types Of Personal Information You Collect
The provisions specified in the GDPR define 'personal data' as any personally identifiable information that helps in the identification of the data subject. Your website will typically collect a lot of personal data from visitors.
Some examples of data that your site could be collecting include:
- Date of birth
- Mailing or residential address
- Phone numbers
- E-mail addresses
- IP addresses
- Device identifiers for laptops, computers etc.
- Online identifiers
The list given above remains illustrative in nature. Your website might be collecting additional details not specified in this list. Thus, you will need to consult your site developers and third-party vendors to obtain a complete list of all the data your website collects. This will necessarily involve considering both directly-collected and indirectly-collected data.
Directly-collected data denotes data that visitors to your website provide voluntarily. For instance, your website might feature a contact page or a payment page. When visitors enter their details in these forms, the data so collected becomes directly-collected data.
Similarly, indirectly-collected data refers to data collected by your website or third-party service providers via the monitoring of website activities. For instance, website analytic service providers (such as Google Analytics) and other chat & messaging platforms monitor user activities on your website. The data obtained from these vendors denotes indirectly-collected data.
The BBC website lists clearly all the types of information the site collects from users and visitors. This clarity makes it easier for site users to know which types of personal data the site will be capturing - whether from the BBC website or from other websites such as Twitter.
While compiling the list of personal data your site collects from visitors, you will need to evaluate all aspects of your online presence. For instance, your blog site might be collecting personal data from visitors that could well be different from the data your mobile app or online store collects. Therefore, make a list of all your online sites and apps. Thereafter, begin compiling the data that each of these sites and apps collects from visitors.
The Data Protection Network Privacy Statement has an itemized, easy to read list of the ways it collects personal data:
It also clearly notes the specific types of personal data collected and that none of the products and services target children:
Remember to be specific and all-inclusive, yet also make it easy for your readers to really understand what you're saying. Use simple language and clear formatting like the list format used here to help with readability.
Do You Have Legitimate and Lawful Grounds For Processing Personal Data?
The GDPR requires you to have a legal basis for collecting personal data from your site visitors. For this, you will need to determine why and how you collect and use this data. The provisions specified in the GDPR forbid site owners from processing personal data without any legal basis.
In the screenshot below you see a table of the objectives for which the Data Protection Network processes or uses personal data. It also indicates the lawful basis on which the site uses the personal data collected:
According to the GDPR, you can process personal data lawfully based on:
- Consent, which you have obtained freely from the site visitor through a clear and affirmative act
- Contractual obligations
- Legal obligations
- Vital interests
- Legitimate interests
- Public tasks
Note that he GDPR does not want you to obtain consent from your site visitors for the processing of all personal data. But it does want you to ask for consent in the right manner for the right things.
Consider the screenshot given below. To become GDPR compliant, SuperOffice changed its sign-up page for free trials. The image on the left does not provide any opt-in for users who sign up for a free trial. Hence, these users can neither object to the terms of the website owners. Nor can they request to be removed from the list of users to whom the company sends email updates.
In contrast, the image on the right provides checkboxes to the users for providing their consent:
The screenshot above highlights the fact that the GDPR does not accept implied consent. Rather, it wants you to give your site visitors the option to opt in (and opt out) of activities pertaining to the collection and processing of their data and do so in a way that requires an active level of consent (such as with clicking a checkbox).
Make sure you know what your lawful basis is for collecting each piece of information you collect, and if you use consent, make sure you do it correctly and compliantly.
Map Out All The Ways You Store, Process and Share Personal Data
After making a list of all the types of personal data you collect from site visitors, you will need to identify the methods by which you collect, store, manage and share this data.
Some examples of data processing methods could include the methods by which you:
- Store, aggregate or transmit data
- Handle changes to data
- Delete data
- Use data for communicating with the users of your website and,
- Share this data with third-party vendors
Alongside this, you will also need to evaluate the reasons that necessitate processing this data.
Address the Rights Users Have Over Their Personal Data
The GDPR gives site visitors and users a lot more control over their personal data. To comply with these directives, you will need to examine your procedures. These procedures must comply with the provisions outlined in the GDPR that detail user or customer rights.
Some requests or queries that you might need to deal with include:
- Providing data subjects with copies of their personal data
- Verifying and amending inaccurate personal data
- Deleting the personal data of users (especially data that you no longer use)
- Offering data subjects (or another data controller that the data subjects specify) copies of their data in a machine-readable format
- Implementing procedures for rendering certain sets of personal data unavailable temporarily and,
- Ceasing to collect or process visitors' data in a manner specified by the user
Under the GDPR provisions, you will need to fulfill the requests of data subjects within a month of receiving the request. You can have someone on your current staff trained for dealing with Subject Access Requests (SARs) or handle someone new. You can also consider implementing a system that enables data subjects to access their own data online.
Under the provisions specified in the GDPR, people in the EU have certain rights detailed below.
The Right to Access Personal Data
Individuals can request access to their own personal data. Therefore, they can approach any company storing their personal data and obtain a copy of this data. The company should not charge the individuals for providing this data. In addition, the company will need to provide this data in an electronic format, if the individual specifically asks for this. individuals can inquire about the use of their personal data by the company as well.
In the screenshot that follows, The Guardian provides site users and visitors a mailing address and an email address where people can request a copy of their personal data. The Guardian also specifies the timeframes within which the company will provide a copy of the data. It also clearly states the fact that people requesting this data will not need to pay anything to receive it:
The Right to Data Portability
This right enables individuals to transfer their data from one service provider to another. This transfer will need to take place in a machine-readable and commonly used format.
The screenshot below comes from the PwC Privacy Statement. It not only specifies the rights of data subjects with regard to transferring their data to another service provider. It provides an email address to enable interested individuals to exercise this right as well:
The Right to be Informed or Notified
In accordance with the provisions specified in the GDPR, website owners and companies need to inform site users and visitors about the collection and use of their personal data.
Among other things, companies will need to inform users about:
- The business
- The data processing activities performed
- The duration for which data will be retained
- The rights available to the data subjects concerning the processing of their personal data, and
- The rights of the data subjects to withdraw consent, object or lodge a complaint
Similarly, companies need to implement reasonable data protection measures to protect the personal data and privacy against loss or exposure.
Consider the screenshot given below. Durham University's Privacy Notice highlights the rights of site visitors - especially about the manner in which the site processes personal data and its reasons for doing so. More importantly, it provides a link for users to access their personal data easily as well:
The Right to Amend or Correct Personal Information
Consumers have the right to request companies to update their personal data in case the data is incorrect, outdated or incomplete.
In the screenshot that follows, Medium, the popular online publishing platform, enables users to access and modify their personal data easily. For this, it provides a link for the users to access their data. At the same time, it specifies that it might need to preserve some copies of the users' personal data to comply with the law of the land:
The Right to Restriction
Individuals in the EU have the right to request companies not use their data for processing. So, while the company can retain the data of the individual, it will not use this for further processing.
Here's how nibusinessinfo.co.uk clearly states the rights of site users should they have any objections to the processing of their personal data by the site owners. It also provides an email address whereby users will be able to access their personal data upon request.
The Right to Request Deletion of Data (The Right to be Forgotten)
In some cases, an individual might no longer be a consumer of a company's goods and services. Alternatively, the individual might want to withdraw their consent from the company for using their personal information. In both situations, consumers have the right to have their data deleted.
The Independent's Privacy Notice indicates the manner in which users will be able to access or request the deletion of their personal data:
Similarly, Durham University indicates the scenarios in which users can request the deletion of their personal data:
Users will be alerted as to whether their request will be granted or not, which shows that it isn't always required and that there are some exceptions to when data needs to be erased at request.
Put Data Security Measures in Place
The GDPR urges companies and organizations to implement the measures necessary for safeguarding user privacy and data from the outset. Denoted by the phrase 'data protection by design,' this involves making your data processing systems secure in all aspects of your business by:
- Being aware of the privacy implications resulting from each data processing activity you carry out
- Processing only that personal data that remains vital for your business objectives
- Giving your users or visitors options about the manner in which you process their personal data
- Making it easier for your data subjects to contact the people responsible for data protection in your company or organization
Similarly, you might need to adopt various technical measures for offering the highest levels of data security to your users or visitors. Some of these measures could involve:
- Encrypting or anonymizing personal data wherever needed
- Using the latest TLS protocol versions
- Acquiring various information security related certifications such as ISO 27001
For instance, The SSL Store indicates the security measures it uses for keeping personal data secure in the following clause:
How Do You Deal With Data Breaches?
Ideally, you will not want to encounter a situation where a data breach occurs. But you cannot wish away such scenarios either. According to the provisions specified in the GDPR, you will need to report data breaches to the supervisory authorities within 72 hours of becoming aware of the breach. For serious breaches, you will need to inform the affected individuals of the breach without undue delay, too.
When notifying the Data Protection Authority, you will need to send a Data Breach Notification Letter that:
- Describes the nature of the breach - including the categories & approximate number of data subjects and personal data records concerned
- Details the likely consequences of the breach
- Lists the measures taken or proposed for addressing the breach and mitigating its adverse effects
- Provides the name and contact details of the Data Protection Officer (DPO) if applicable
Do You Need to Carry Out a Data Protection Impact Assessment (DPIA)?
Organizations or companies that will be deploying new data processing technologies or methods that could be broad or high-risk will need to undertake a Data Protection Impact Assessment. The DPIA will enable these companies to identify various data protection risks. As such, it will help these organizations take the necessary measures for mitigating these risks proactively.
DPIAs can be essential if you plan to process special categories of data on a large scale. Similarly, if you will be using technology to carry out profiling operations that might affect site users or customers, conducting a DPIA might be helpful. For more details on situations where you might need to carry out a DPIA, click here.
Will You Need to Hire A Data Protection Officer (DPO)?
In certain situations, companies and organizations will need to hire a qualified DPO. The DPO will need to possess the relevant education and expertise necessary for managing and monitoring the data processes of the organization.
According to the GDPR, appointing a DPO will be necessary if you perform regular and systematic monitoring of individuals on a large scale. Similarly, you will need to appoint a DPO if you perform large-scale processing of special categories of data such as health records etc.
Among other things, the DPO will need to:
- Possess the qualifications necessary for overseeing the GDPR compliance of the company
- Inform the internal leadership about legal privacy protection matters and responsibilities
- Have expert knowledge of the data protection laws
- Have access to the appropriate resources for performing various day-to-day tasks
- Train your workers in all applicable privacy security procedures
- Report personal data breaches to the authorities within 72 hours and, in cases of unencrypted personal data breaches, inform the affected individuals as well
Do You Have a Data Processing Agreement in Place?
Data-related relationships usually involve three roles:
- The data subject, who provides personal data by using a website or an app
- The data controller, who defines the objectives of processing personal data as well as the means used for processing this data and,
- The data processor, who processes personal data for a data controller
The GDPR mandates the requirement of a written contract between data controllers and data processors. This Data Processing Agreement will need to contain the mandatory clauses outlined in Article 29 of the GDPR. In addition, you will need to prepare a Data Processing Agreement for each data processor that your company uses.
- The contact details of your company
- The categories of personal data that your company processes
- The objective for processing personal data and the legal basis for doing so
- The categories of third parties with whom you share personal data
- The duration or span of time for which you store different categories of personal data
- The rights that data subjects have over their personal data and the manner in which they can exercise their rights
If applicable, you will need to specify details of any international data transfers you carry out too. Over the years, international data transfers have become quite common. But, the GDPR places strict conditions that regulate such transfers.
- Answer a few questions about your business:
- Add your website or app information:
- Answer a few questions about what information you collect from your users:
- Select options for how your users can contact you:
The GDPR focuses on modernizing digital security across the EU. It provides individuals in the EU with greater rights over the personal information that these individuals share or submit online. The requirements prescribed in the GDPR apply to each member state of the EU. But they do not apply only to companies operating in the EU.
Rather, if you provide goods or services to customers in the EU, you will need to comply with the GDPR - even if you're based outside the EU.
The first step towards becoming GDPR-compliant lies in understanding the provisions mentioned in the GDPR and the manner in which these provisions apply to your company or organization. This involves going through the GDPR Readiness Checklist.
The GDPR Readiness Checklist focuses on:
Auditing all internal processes to:
- Identify the types and categories of personal data you collect from all your websites and apps
- Ascertain the legal grounds for processing this data and documenting this
- Identify the means used for processing data for each process
- Modify existing processes for data minimization
- Get rid of personal data that does not meet the processing objectives or purposes
- Conduct risk and privacy impact assessments for identifying gaps and mitigating the risks
- Identify processes through which you have obtained consent from your users
- Identify processes for which you need to obtain consent from your site visitors and users
- Ascertain the data controllers and processors working with personal data for which you need consent
- Review and amend consent management processes on websites
- Develop processes for obtaining parental consent (in case you collect data on minors)
- Build repositories for consent management for facilitating the burden of proof
Complying with the data subject rights provided by the GDPR by creating the necessary processes that enable data subjects to:
- Access their personal data
- Amend their data
- Erase their data
- Restrict the processing of their data
- Transfer their data to another data controller
- Receive notifications from the data controller pertaining to the rectification or erasure of their personal data
- Object to the processing of the data
- Avoid being subject to decisions based on automatic decisions for profiling
- Be aware of the Data Protection Officer (DPO) contact details
Implementing various data protection measures such as:
- Reviewing existing personal data storage and retention processes (including existing backup processes)
- Modifying data retention policies and backup processes
- Carrying out risk assessments to identify breaches and gaps
- Implementing technical and organizational measures for safeguarding personal data
- Appointing a DPO
- Creating and updating Data Processor Agreements
- Identifying any international data transfers
Dealing with breaches of data security by:
- Implementing a breach management process that results in the notification of the authorities within 72 hours
- Identifying the Data Protection Authority (DPA) contact details
- Taking adequate measures to mitigate the consequences of the data breach