The General Data Protection Regulation GDPR, a product of the European Union Data Protection Reform, is the strict privacy standards put into effect on May 25, 2018, aimed to protect the personal data of all people in the European Union.
Personal data is any information that relates to a living person. This includes financial information and addresses, and even evaluations relating to the behavior patterns of a person. Personal Data could also include images, video, audio, numerals, and words.
The GDPR impacts any organization that offers goods and/or services to people in the European Union, this includes entities that are not located in the EU. Additionally, all online businesses should be GDPR compliant as a protective measure, in case people who transact with this company are in the EU.
Personal Data is used by Data Controllers and Data Processors.
A Data Controller is an individual, public authority, agency, or other body that decides what to do with the data collected. A Data Processor processes personal data on behalf of the controller. For example, if a software company hires a marketer for an upcoming email campaign. The marketer is given the names and email addresses of leads to whom he or she will send the email campaign. Here, the software company is the controller, and the marketer is the processor.
Both the Data Controller and the Data Processor must be GDPR compliant because they are both handling personal data.
There are 9 key points to consider that will help businesses assess their current GDPR compliance status and reform their data handling practices to become more compliant.
If you don’t know how personal data moves through your internal systems, you don’t know how it is controlled. Below is an example of a software company
Reason for data collection
Consider the below questions;
Both controllers and processors must appoint a Data Protection Officer (DPO) to oversee the data protection strategy. Appointing a DPO is essential in any of the below cases;
A DPO is responsible for the following duties;
A GDPR diary, or a Data Register, is a comprehensive record of how an organization is practicing GDPR compliance. This would need to be created after identifying all your data sources. A GDPR diary should map the flow of data through your organization, the more details you include the better. In the event of an audit, the GDPR diary will serve as proof of compliance.
If your organization faces a data breach in the process of instituting a compliance framework, the GDPR diary can be used as proof of progress and efforts towards improved data security.
Adopting this implementation early demonstrates an organization’s dedication to protecting their customers’ data.
To be GDPR compliant, you should only collect data that you absolutely need. Don’t accumulate sensitive data without a compelling reason. This will signal the supervisory authority monitoring your compliance.
All data requirements should go through a Privacy Impact Assessment (IPIA) and a Data Protection Impact Assessment (DPIA). These assessments are mandatory when the data collected is highly sensitive.
Here are some examples of what would be classified as sensitive data and would require the completion of a DPIA; using new technology, location, behavior, religious views, ethnic origins, political opinions, health, data associated with children, automated decisions that have legal consequences, monitoring publicly accessible areas, etc.
Use this DPIA template as a guide for your assessment.
Immediate data breach notification is a mandatory GDPR requirement. This, more specifically, means within 72 hours of the breach.
First, Processors report the data breach to the Controller, who, in turn, reports to a supervisory authority.
The supervisory authority, also known as Data Protection Association or (DPA), monitors and enforces GDPR compliance. They’re also the primary contact for any GDPR inquiries.
Supervisor authorities are usually located in the EU state where an organization is based. The GDPR empowers the supervisory authority to impose non-compliance fines on controllers and processors.
Customers need to be specifically informed of the data you’re collecting. If you’re not being transparent about when and what you’re collecting, this could lead to non-compliance fines.
Data collection acknowledgment should be displayed at every point at which data is collected – before any data is collected.
Here are some ways websites display data collection notifications;
Any forms on your website should clearly state how all collected data will be used. Don’t use complex phrasing or technical jargon. Keep your messaging clear and concise.
Pre-ticked consent boxes are not permitted. Your customers need to know that they’re consenting, and willingly do it themselves.
Cookies need to be regulated, as the GDPR classifies cookies that identify users as personal data collectors. Organizations may still use cookie data if they meet the requirements below:
The GDPR only permits the processing of personal data for individuals 16 years of age or older. Otherwise, consent must be given by the parent or guardian of the child.
The GDPR expects organizations to be continuously aware of all third party security risks and to be prepared for these risks when the time comes. The key to security is consistently monitoring for vulnerabilities and immediately remediating them. If your organization doesn’t have the resources or expertise, it can be outsourced.
Check out the GDPR specific risk assessments.
At App4Legal, we take GDPR compliance very seriously. We believe in protecting the right of individuals to control their personal data and privacy. The team at App4Legal is committed to ensuring that our products and business operations meet GDPR requirements as data controllers and data processors. These details are reflected in our Terms & Conditions.
App4Legal’s policy acknowledges this responsibility and identifies how personal data is collected and used within its products. App4Legal securely stores data and provides the tools and services needed to help legal teams and legal practitioners meet their responsibilities as data controllers.
App4Legal protects the data stored within App4Legal products and transmitted from the App4Legal products to guarantee that any data stored by App4Legal users is protected.