GDPR has changed the way marketers can communicate with their customers. Implementing GDPR can be complex and challenging. We’ve highlighted just a few of the requirements, see our handy checklist to get started.
What is GDPR?
The General Data Protection Regulation or GDPR is a digital privacy regulation that aims to safeguard the data of European residents from misuse, disclosure and sale by data processors and controllers. The regulations apply to EU countries and EU member states, as well as countries that do business with customers in the EU.
Violating these privacy and security standards could see you face harsh fines reaching into the tens of millions of Euros.
Some of the key privacy and data protection requirements of the GDPR include:
- Obtaining consent for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
What do some of the legal GDPR terms mean
The GDPR comprises 11 chapters and 91 articles, which is quite a hefty amount of regulation to process. However, it’s important that every person who is affected by the regulation read and understand it to ensure your organization remains compliant. Here are some of the important terms you should familarize yourself with and understand:
Personal data is any information that relates to an individual who can be directly or indirectly identified. This includes names, email addresses, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions.
This involves any action performed on data, whether automated or manual. Examples include collecting, recording, organizing, structuring, storing, using and erasing.
The person whose data is processed. These are your customers or site visitors.
This is the person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations.
7 key principles you must followIf you process data, you must do so according to the following key principles:
- Lawfulness, fairness and transparency: Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation: You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization: You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy: You must keep personal data accurate and up to date.
- Storage limitation: You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (for example, by using encryption).
- Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Proving you are GDPR complaint
Controllers have to be able to demonstrate they are GDPR compliant. If you think you are compliant with the GDPR but can’t show how then you’re not GDPR compliant. You can do this by:
- Designating data protection responsibilities to your team.
- Maintaining detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it.
- Training your staff and implementing technical and organizational security measures.
- Having Data Processing Agreement contracts in place with third parties you contract to process data for you.
- Appointing a Data Protection Officer (however, not all organizations need one).
The right data security
Your data must be handled securely through “appropriate technical and organizational measures”. This means that you may require your employees to use a two-factor authentication on accounts where personal data are stored or work with cloud providers that use end-to-end encryption.
What to do if you have a data breach
If you have a data breach, you have 72 hours to inform your customers or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)
What you must know about consent
There are important rules you must follow when it comes to consent. These are:
- Consent must be “freely given, specific, informed and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from their parent.
- You need to keep documentary evidence of consent.
Getting started: A GDPR checklist
Please note that the checklist below is a basic guide and in no way constitutes legal advice. You should consult with a lawyer who specializes in GDPR compliance to ensure the law it applied to your specific circumstances.
Lawful basis and transparency
If your organization has at least 250 employees or conducts higher-risk data processing, you must keep an up-to-date and detailed list of your processing activities and be prepared to show that list to regulators upon request.
If your organization has fewer than 250 employees, you should also conduct an assessment because it will make complying with the GDPR's other requirements easier. Your list should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible).
What you need to do:
- Conduct an information audit to determine what information you process and who has access to it.
- Have a legal justification for your data processing activities.
This is something you and your employees must always be aware of and consider whenever you handle other people’s data. To ensure compliance here, you must follow the principles of "data protection by design and by default," including implementing "appropriate technical and organizational measures" to protect data.
Any personal data you process must adhere to the data protection principles outlined in Article 5. Technical measures include encryption, and organizational measures are things like limiting the amount of personal data you collect or deleting data you no longer need.
What you need to do:
- Take data protection into account at all times, from the moment you begin developing a product to each time you process data.
- Encrypt, pseudonymize, or anonymize personal data wherever possible.
- Create an internal security policy for your team members, and build awareness about data protection.
- Know when to conduct a data protection impact assessment, and have a process in place to carry it out.
- Have a process in place to notify the authorities and your data subjects in the event of a data breach.
Accountability and governance
You need to make sure that someone in your organization is accountable for GDPR compliance. This person should be empowered to evaluate data protection policies and the implementation of those policies.
What you need to do:
- Designate someone responsible for ensuring GDPR compliance across your organization.
- Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.
- If your organization is outside the EU, appoint a representative within one of the EU member states.
- Appoint a Data Protection Officer (if necessary).
The public has the right to see what personal data you have about them, how you're using it, how long you plan to store their information and your reason for keeping it. Should anyone request to see their information, you must send them the first copy free, however, you may charge for any subsequent requests for copies.
Make sure you can verify the identity of the person requesting the data. You should be able to provide the information within a month of receiving the request.
What you need to do:
- Ensure that it's easy for your customers to request and receive all the information you have about them.
- Your customers can easily correct or update inaccurate or incomplete information.
- Your customers can request to have their personal data deleted.
- Your customers can ask you to stop processing their data.
- Your customers can receive a copy of their personal data in a format that can be easily transferred to another company.
- Your customers can object to you processing their data.
- If you make decisions about people based on automated processes, you have a procedure to protect their rights.
We’ve covered just some aspects of the regulation, however, it’s important that you read and familiarize yourself with all the compliance requirements and put the correct measures in place that are required for your organization.
We help ambitious B2B companies accelerate their growth and boost their revenue potential. Get in touch with us today!