Following years of data breaches and tech companies’ secretive use of personal data, the EU responded with the GDPR. It governs and regulates the collection and use of personal data for EU citizens. That doesn't just apply to companies based in the EU. It applies to any company to which EU citizens have access – even if the organization does not market to EU citizens directly.
That means GDPR compliance is critical.
Any business found not to be compliant will be subject to heavy penalties, including fines. Yet, in a survey, one in five respondents believe complete GDPR compliance is "impossible." That raises significant concerns that large numbers of small- and medium-sized businesses are not currently GDPR compliant.
Not only is that a serious risk for fines. But it is also patently false. GDPR compliance is perfectly possible for all businesses; it just requires organizations to become acquitted with the requirements.
Here we'll explore how every organization can be GDPR compliant.
The first area of confusion is who GDPR pertains to. The short answer is anyone who collects or processes the personal data of EU citizens, regardless of the organization's physical location.
So, if you're an online retailer based in the United States who sells to EU citizens – you need to be GDPR compliant. To avoid GDPR compliance, you must restrict business access to EU citizens.
If you're a business or organization collecting personal data, it's tricky to know how to start becoming compliant. However, ignorance will not be a viable defense. That's why we've put together a complete 9-step checklist to help you become GDPR compliant.
1. What data will you collect?
That's the fundamental question. Know what data you need to provide the stated service. But remember, according to the GDPR, you should only collect personal data essential for the stated purpose.
Before collecting this data, you should ask for explicit consent from the data subject. That could be written consent or the ticking off a box. But you must be able to demonstrate consent was given.
Additionally, consent should only be given for a specific purpose. If data is to be used for multiple purposes, informed, explicit consent should be given for each. You should also clearly state the different purposes. Transparency is one of the principles of the GDPR.
2. How long will you store the data?
Decide how long the information will be needed. Under the GDPR, data cannot be kept longer than is necessary. Therefore, clearly define at what point the data will be disposed of, how, and why.
You will also need to provide a mechanism by which a data subject can rescind their consent. That will mean you will need to delete their personal data.
3. How will you store the data?
One of the fundamental aims of the GDPR is to limit data breaches. That means you'll need to give considerable thought to how data is stored, ensuring you maintain its integrity and confidentiality.
Moreover, according to article 33, you are required to inform the Data Protection Association within 72 hours if a data breach occurs. You will also be required to notify the data subject of the data breach – listing what personal data was exposed.
4. How old is the person consenting?
Under the GDPR, only persons of at least 16 years of age are permitted to consent for personal data collection. Therefore, if you collect personal data on younger users, you will be GDPR non-compliant, and the consent will be invalid.
5. Appoint a Data Protection Officer (DPO)
According to the GDPR, an organization must appoint a DPO for any of the following:
- If data is processed by a public authority
- If collected data undergoes systematic monitoring
- If collected data is processed at a large scale
There is clearly ambiguity here – as the GDPR does not define how large a scale. Therefore, it is often sensible to appoint a DPO to oversee your data protection strategy, irrespective of the scale of your personal data collection.
6. Keep a GDPR diary
Here, it would be best if you documented how your organization practices GDPR compliance. That includes mapping of data flows through your organization, all data sources, and how you mitigate the risk of data breaches.
It also provides cover should your organization suffer a data breach while it implements its compliance framework.
7. Double opt-in for new email list sign-ups
Yes. For anyone signing up for your email list, include a double opt-in process. That means they must confirm their consent twice. The first occurs when the sign-up form is completed. The second consent occurs via the user clicking the confirmation link sent automatically after the sign-up form completion.
While GDPR does not specify mandatory double opt-in sign-ups, it is the current high standard for data protection and consent.
9. Routinely evaluate third-party risks
Being GDPR compliant doesn't just mean keeping your house in order. It also refers to the data risk presented by third parties. Here, data may be shared between organizations. That requires continuous awareness of the security risks, with remediation efforts in place.
While no system can be 100% risk-free, routinely evaluating potential security risks is critical. You will want to record your findings and actions in the GDPR diary.
Maintaining GDPR compliance can take substantial work, but it's possible for all organizations. Failure to be GDPR compliant can lead to fines equivalent to either 4% of annual global revenue or €20 million – whichever is highest.
Therefore, GDPR compliance isn't an option; it's a legal and financial imperative. For further information, please refer to the 88-page regulation itself.