The General Data Protection Regulation GDPR, a product of the European Union Data Protection Reform, is the strict privacy standards put into effect on May 25, 2018, aimed to protect the personal data of all people in the European Union.
What is Personal Data?
Personal data is any information that relates to a living person. This includes financial information and addresses, and even evaluations relating to the behavior patterns of a person. Personal Data could also include images, video, audio, numerals, and words.
Who Does the GDPR Apply to?
The GDPR impacts any organization that offers goods and/or services to people in the European Union, this includes entities that are not located in the EU. Additionally, all online businesses should be GDPR compliant as a protective measure, in case people who transact with this company are in the EU.
Personal Data is used by Data Controllers and Data Processors.
A Data Controller is an individual, public authority, agency, or other body that decides what to do with the data collected. A Data Processor processes personal data on behalf of the controller. For example, if a software company hires a marketer for an upcoming email campaign. The marketer is given the names and email addresses of leads to whom he or she will send the email campaign. Here, the software company is the controller, and the marketer is the processor.
Both the Data Controller and the Data Processor must be GDPR compliant because they are both handling personal data.
How to become GDPR Compliant?
There are 9 key points to consider that will help businesses assess their current GDPR compliance status and reform their data handling practices to become more compliant.
1. Map the data you collect
If you don’t know how personal data moves through your internal systems, you don’t know how it is controlled. Below is an example of a software company
- Software Sign-up Form
- Full name.
- Email address.
- Company name
Reason for data collection
- Collecting Marketing Leads
Consider the below questions;
How is collected data processed?
- Stored in the HubSpot database.
- Accessed by internal email marketers.
When is the data disposed of?
- Users who unsubscribe are automatically removed from the database
Do you have consent to collect this data?
- Yes, users who sign up are informed of our terms and conditions.
Does the collected data include sensitive information?
- Yes, full names and associated email addresses.
2. Appoint a Data Protection Officer
Both controllers and processors must appoint a Data Protection Officer (DPO) to oversee the data protection strategy. Appointing a DPO is essential in any of the below cases;
- If data is processed by a public authority
- If collected data undergoes systematic monitoring
- If collected data is processed at a large scale
Note: the GDPR doesn’t define how large “large scale” is, so appoint a DPO to be on the safe side.
A DPO is responsible for the following duties;
- Advising controllers and processes of best practices for GDPR compliance
- Monitoring how data is handled to ensure GDPR compliance
- Advising about data protection impact assessments
- Acting as the primary point of contact for all inquiries related to data processing
- Acting as the primary point of contact between the company and GDPR regulators
- Having a clear understanding of all the potential risks associated with processing
3. Record a GDPR Data Register
A GDPR diary, or a Data Register, is a comprehensive record of how an organization is practicing GDPR compliance. This would need to be created after identifying all your data sources. A GDPR diary should map the flow of data through your organization, the more details you include the better. In the event of an audit, the GDPR diary will serve as proof of compliance.
If your organization faces a data breach in the process of instituting a compliance framework, the GDPR diary can be used as proof of progress and efforts towards improved data security.
Adopting this implementation early demonstrates an organization’s dedication to protecting their customers’ data.
4. Evaluate Data Collection Requirements
To be GDPR compliant, you should only collect data that you absolutely need. Don’t accumulate sensitive data without a compelling reason. This will signal the supervisory authority monitoring your compliance.
All data requirements should go through a Privacy Impact Assessment (IPIA) and a Data Protection Impact Assessment (DPIA). These assessments are mandatory when the data collected is highly sensitive.
Here are some examples of what would be classified as sensitive data and would require the completion of a DPIA; using new technology, location, behavior, religious views, ethnic origins, political opinions, health, data associated with children, automated decisions that have legal consequences, monitoring publicly accessible areas, etc.
Use this DPIA template as a guide for your assessment.
5. Report Data Breaches Instantly
Immediate data breach notification is a mandatory GDPR requirement. This, more specifically, means within 72 hours of the breach.
First, Processors report the data breach to the Controller, who, in turn, reports to a supervisory authority.
The supervisory authority, also known as Data Protection Association or (DPA), monitors and enforces GDPR compliance. They’re also the primary contact for any GDPR inquiries.
Supervisor authorities are usually located in the EU state where an organization is based. The GDPR empowers the supervisory authority to impose non-compliance fines on controllers and processors.
6. Assess Data Collected Motives
Customers need to be specifically informed of the data you’re collecting. If you’re not being transparent about when and what you’re collecting, this could lead to non-compliance fines.
Data collection acknowledgment should be displayed at every point at which data is collected – before any data is collected.
Here are some ways websites display data collection notifications;
Any forms on your website should clearly state how all collected data will be used. Don’t use complex phrasing or technical jargon. Keep your messaging clear and concise.
Pre-ticked consent boxes are not permitted. Your customers need to know that they’re consenting, and willingly do it themselves.
Cookie Collection Notices
Cookies need to be regulated, as the GDPR classifies cookies that identify users as personal data collectors. Organizations may still use cookie data if they meet the requirements below:
- Specify how the collected data will be used by your organization.
- You cannot stop users from accessing your website if they do not consent to cookie use.
- Provide the ability for users to easily withdraw cookie consent.
7. Verify Age of all Consenting Users
The GDPR only permits the processing of personal data for individuals 16 years of age or older. Otherwise, consent must be given by the parent or guardian of the child.
9. Assess Risks Regularly
The GDPR expects organizations to be continuously aware of all third party security risks and to be prepared for these risks when the time comes. The key to security is consistently monitoring for vulnerabilities and immediately remediating them. If your organization doesn’t have the resources or expertise, it can be outsourced.
Check out the GDPR specific risk assessments.
How App4Legal addresses GDPR
At App4Legal, we take GDPR compliance very seriously. We believe in protecting the right of individuals to control their personal data and privacy. The team at App4Legal is committed to ensuring that our products and business operations meet GDPR requirements as data controllers and data processors. These details are reflected in our Terms & Conditions.
App4Legal’s policy acknowledges this responsibility and identifies how personal data is collected and used within its products. App4Legal securely stores data and provides the tools and services needed to help legal teams and legal practitioners meet their responsibilities as data controllers.
App4Legal protects the data stored within App4Legal products and transmitted from the App4Legal products to guarantee that any data stored by App4Legal users is protected.