How to be GDPR Compliant?

If you’re a business or organization collecting personal data, it’s tricky to know how to start becoming compliant. However, ignorance will not be a viable defense. That’s why we’ve put together a complete 9-step checklist to help you become GDPR compliant.

1. What data will you collect?

That’s the fundamental question. Know what data you need to provide the stated service. But remember, according to the GDPR, you should only collect personal data essential for the stated purpose.

Before collecting this data, you should ask for explicit consent from the data subject. That could be written consent or the ticking off a box. But you must be able to demonstrate consent was given.

Additionally, consent should only be given for a specific purpose. If data is to be used for multiple purposes, informed, explicit consent should be given for each. You should also clearly state the different purposes. Transparency is one of the principles of the GDPR.

2. How long will you store the data?

Decide how long the information will be needed. Under the GDPR, data cannot be kept longer than is necessary. Therefore, clearly define at what point the data will be disposed of, how, and why.

You will also need to provide a mechanism by which a data subject can rescind their consent. That will mean you will need to delete their personal data.

3. How will you store the data?

One of the fundamental aims of the GDPR is to limit data breaches. That means you’ll need to give considerable thought to how data is stored, ensuring you maintain its integrity and confidentiality.

Moreover, according to article 33, you are required to inform the Data Protection Association within 72 hours if a data breach occurs. You will also be required to notify the data subject of the data breach – listing what personal data was exposed.

4. How old is the person consenting?

Under the GDPR, only persons of at least 16 years of age are permitted to consent for personal data collection. Therefore, if you collect personal data on younger users, you will be GDPR non-compliant, and the consent will be invalid.

5. Appoint a Data Protection Officer (DPO)

According to the GDPR, an organization must appoint a DPO for any of the following:

– If data is processed by a public authority
– If collected data undergoes systematic monitoring
– If collected data is processed at a large scale

There is clearly ambiguity here – as the GDPR does not define how large a scale. Therefore, it is often sensible to appoint a DPO to oversee your data protection strategy, irrespective of the scale of your personal data collection.

6. Keep a GDPR diary

Here, it would be best if you documented how your organization practices GDPR compliance. That includes mapping of data flows through your organization, all data sources, and how you mitigate the risk of data breaches.

It also provides cover should your organization suffer a data breach while it implements its compliance framework.

7. Double opt-in for new email list sign-ups

Yes. For anyone signing up for your email list, include a double opt-in process. That means they must confirm their consent twice. The first occurs when the sign-up form is completed. The second consent occurs via the user clicking the confirmation link sent automatically after the sign-up form completion.

While GDPR does not specify mandatory double opt-in sign-ups, it is the current high standard for data protection and consent.

8. Write or update your privacy policy

In a privacy policy, an organization should clearly state what personal data is collected and how it will be used. It must always be up-to-date and available on the organization’s website.

9. Routinely evaluate third-party risks

Being GDPR compliant doesn’t just mean keeping your house in order. It also refers to the data risk presented by third parties. Here, data may be shared between organizations. That requires continuous awareness of the security risks, with remediation efforts in place.

While no system can be 100% risk-free, routinely evaluating potential security risks is critical. You will want to record your findings and actions in the GDPR diary.