Professional domain name? Check. Https protection? Check.
GDPR compliance? …
It’s surprising how many website owners today don’t understand – or in extreme cases, even know about – the General Data Protection Regulation (GDPR). As one of the most comprehensive legal frameworks of its kind on the planet, this stack of rules has major implications for both those who physically operate within the European Union and those who do business with its citizens from afar.
GDPR Compliance Checklist – 8 Steps You Need To Complete
An Introduction to the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a sweeping data privacy law that was enacted by the European Union in May 2018. It replaces an older law known as the EU Data Protection Directive, which had been in effect since 1995. The GDPR was designed to protect the personal data of EU citizens from misuse and exploitation.
Getting to Know GDPR Rules
Just how extensive is the GDPR, you might ask? Well, its official documentation totals 261 pages, while the rules outlined on each of those pages apply to millions of companies around the world.
Here’s a quick overview of the most important concepts decreed by the GDPR:
GDPR requires companies to be transparent about how they collect, store and use personal data. Individuals must also give explicit consent before their data can be processed or stored in any form.
Those who fall under the protections of the GDPR – namely citizens of European Union member countries – are afforded a long list of rights with respect to how their personal data is handled online.
- The right to be informed of how personal data is used
- The right to access any collected data
- The right to have incorrect or incomplete information corrected
- The right to have data erased, when requested and applicable
- The right to request restrictions on the use of personal data
- The right to receive a copy of any collected personal information in an easily portable format (e.g. CSV)
- The right not to be subject to automated decision-making
Organizations must report any data breaches to the relevant authorities within 72 hours of their discovery. Additionally, involved individuals should be notified as soon as reasonably practical in order to limit potential damage.
Why the GDPR Is Worth Following
Like all things in life, breaking the rules of the GDPR doesn’t come without consequences. It comes with many, in fact; the EU’s regulatory body for data privacy has handed down over $4 Billion in fines to hundreds of companies since 2018, according to the GDPR Enforcement Tracker. Within that large sum lies an ironic wealth of businesses that thought they could fly under the radar uncaught. Among the most notable include Meta, which was penalized $1.4 Billion dollars in May of 2023.
If they can’t get away with rule flouting, neither can you.
Eight Critical Steps to Becoming GDPR Compliant
Complying with as beastly a set of regulations as the GDPR is best done through multiple steps. We’ve compiled eight that will get you most of the way there:
1. Map Data and Conduct a RoPA
If data mapping sounds complicated, that’s because it is. The process can be quite extensive, requiring the review of virtually every touchpoint through which a business might collect personal information about visitors. This includes everything from email newsletter sign-ups and subscriptions to checkout portals. The channels identified should be written out with any links to third parties disclosed. It’s also considered best practice to categorize the types of information collected through these means, such as Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII), as the latter is subject to additional GDPR rules.
Data mapping can be done either in-house or with the help of a professional service provider. There are also several online tools that can automate the process.
Record of Processing Activities (RoPA)
Article 30 of the GDPR states that a controller must “maintain a record of processing activities under its responsibility,” but what does that mean? A Record of Processing Activities, or RoPA for short, is an official document that outlines all the personal data processing activities undertaken within an organization. It is essentially a comprehensive list of each instance of personal data collection, storage, and/or usage related to a business’s services or products.
A RoPA should include information such as:
- The name and contact details of the controller, processor, and where applicable representative
- The purpose of the processing activities undertaken
- Details regarding categories of data subjects involved in each activity (e.g.customers’ or ’employees’)
- Details of data collected and how it is used, stored, destroyed, etc.
- Where applicable, the risks associated with each activity
- How long personal data will be kept for (data retention period’)
- Any third-party data processors involved and the specific services they provide
- The measures taken to ensure data security and privacy compliance
Creating a RoPA is mandatory for most organizations under the GDPR’s purview.
2. Verifying Legal Bases for Data Processing
If there’s one thing the GDPR makes clear, it’s that companies better have a good reason for handling or making money off of EU citizens’ personal data. The law lays out several acceptable circumstances in Article 6, namely the following.
Personal data processing can be justified if a company has agreed to fulfill a contract with an individual. For instance, when making online purchases or subscribing to newsletters, customers often need to provide certain details that the seller will utilize in order to carry out the contract.
#3 Legitimate Interest/Vital Interest
A company may also legally process an individual’s data if they can prove that it is necessary for their legitimate interests, as long as these interests don’t outweigh the individual’s own interests, rights, and freedoms. This legal ground may also be relied upon in situations where a person’s health, safety, or life is at risk.
#4 Legal Obligation
Companies may have a legal obligation to process an individual’s data, such as in the context of tax law or anti-money laundering regulations.
#5 Public Interest
In some cases, a company may process personal data if it is necessary for reasons of public interest; this could include research purposes that are necessary for the development of society, health, or education.
Assessing Whether Your Data Processing Activities Are Lawful
There’s no verification process involved with claiming any of the aforementioned grounds for data processing. The GDPR places a small degree of trust upon companies to correctly assess whether their data processing activities are lawful and ensure that they’re able to prove it if asked by a supervisory authority.
It’s best practice to maintain detailed records of the grounds for processing personal data, including any legitimate interest assessments that were carried out. Or in other words, a comprehensive RoPA.
3. Establish Mechanisms for Notice and Consent
Notice and consent are two of the most common holes companies trip over with respect to GDPR compliance. When you read the rules, they seem simple enough. How hard can it be to orchestrate a little pop-up window on users’ screens, after all?
As it turns out, very.
The tricky thing about notice and consent is that it must be given and received whenever applicable. Every visit a company’s website receives represents not a chance, but an obligation to fulfill data processor responsibilities. A single slip-up, such as initiating processing before permission is provided or failing to ask for it altogether, is a breach of the GDPR. Multiplied by the number of users left improperly checked by consent management platforms, that can add up to tens of thousands of dollars in fines.
Again, this ties back to the importance of having a reliable tool by your side. There are plenty of CMP vendors out there to consider, but not all come with a guarantee of compliance. It’s critical to thoroughly vet potential candidates to ensure their systems are both extensive and flexible enough to meet your site’s consent and notice needs. (for example a cookie notice)
4. Implement Adequate Measures for Data Security
The GDPR has guidelines with respect to both the practices and standards organizations follow when processing individuals’ personal information. It’s not enough to simply remember to request user consent or have a valid reason to ask for it in the first place. European regulators want a guarantee that all companies doing business within its borders are responsible with the data they collect.
That means embracing measures such as:
Data Loss Prevention (DLP)
Data loss prevention (DLP) software is a must for any organization that processes personal data. It allows companies to monitor and control how the information moves within its network, including emails, file transfers, cloud storage activities, and more.
Encryption and Pseudonymization
Encryption is the process of transforming plain text data into a form that can’t be read unless it’s decrypted. This prevents unauthorized parties from accessing information, even if they get hold of it somehow. Pseudonymization involves masking and replacing certain pieces of data with randomly generated characters.
Identity and Access Management (IDAM)
IDAM is an approach used to manage user identities and permissions within a system. It includes practices such as authenticating users, authorizing access based on their role/responsibilities, monitoring all activities related to each identity, and providing secure access control from one system to another.
Third-Party Risk Management
Every third party a business works with represents a risk in the eyes of data security regulators. All it takes is one bad actor to compromise the data of hundreds or even thousands of people. To keep risks to a minimum, organizations need procedures in place to assess and manage any third-party vendors they work with. This includes carefully scrutinizing each vendor’s security measures and customer service policies, as well as limiting their access to internal systems. Data Processing Agreements, or DPAs, are sometimes necessary under the GDPR as well.
Incident Response Planning (IRP)
While no one ever wants to face such a reality, data breaches do occur. Organizations need to have an IRP ready in case such an event takes place. This plan of action should outline how the company will respond and contain any potential risk associated with it on a step-by-step basis.
5. Make International Considerations
It’s important to recognize that despite being big, the GDPR is only one drop in the bucket of a much bigger data privacy regulatory landscape. Different countries have different policies, while some have yet to implement any at all.
EU-US Data Transfers
It can be easy to get caught up in the idea of complying with one region’s rules and fail to address how they might translate abroad. The EU applies to processors located outside of its regional borders, so that already opens the door to potential mismatching. There’s always been a lot of attention on EU to US data transfers in particular, as many American businesses deal with customers in Europe. The problem is that Europe’s standards have traditionally been higher than those of the United States. The two superpowers have reconciled with multiple special agreements over the years, the first two being the US-EU Safe Harbor Framework and the EU-US Privacy Shield. They were consecutively struck down after successful challenges to their validity in European courts.
US President Joe Biden recently signed a third agreement that establishes new, stricter rules on how data may be legally transferred between America and Europe. The EU-US Data Privacy Framework officially went into effect on July 10th, 2023, and barring further legal challenges will set the ground rules for trans-Atlantic businesses over the coming decades.
Site operators in the US need to be fully aware of these new guidelines and ready to comply at all times. Although the list of differences between European and American data privacy laws is long, some of the most glaring include higher standards for data security, different consent mechanisms, and varying requirements between data processing partners.
Those interested in participating in the new program must also apply to do so through the official EU-US DPA certification website.
Data Transfer Between Other Countries with Data Protection Laws
Beyond the United States exist several other countries and regions with unique stances on data protection. It’s equally important to approach these on a case-by-case basis so as to not violate any specific rules.
Doing that manually is near impossible, or at the very least, a gross waste of time when there are tools that can automate everything for you. Consent management platforms (Consent Management Platform or Consent Manager) are built with comprehensive awareness of data privacy laws around the globe and can help you cater your website’s compliance practices for each region in which it operates.
Other Means of International Data Transfer
Alternatively to the above, companies have a few other methods of recourse when it comes to ensuring their international data transfers remain lawful, including:
#1 Binding Corporate Rules (BCRs)
BCRs are an internal set of binding policies and procedures that apply to data transfers across international borders. BCRs are developed according to the GDPR and must be approved by a supervisory authority in the EU before they can be put into action.
#2 Standard Contractual Clauses (SCCs)
SCCs are pre-approved contractual agreements that allow companies to transfer data from the EU to a third-party country outside of the EU. These clauses have been designed by the European Commission and are recognized as an adequate cross-border transfer mechanism under GDPR law.
#3 Appropriate Derogations
Appropriate derogations are situations in which companies can transfer data outside the EU without using either BCRs or SCCs. These usually occur in instances such as a company providing emergency services, certain types of research projects, and other special circumstances.
6. Create a Process for Handling DSARs
The GDPR is one of many data privacy regulations around the world to provide protected individuals with a right to get involved should they have any questions or concerns about a handler’s practices. This ties back to what we went over earlier; the right to access; the right to correct; the right to be forgotten; the right to restrict; the right to transfer; and the right to object.
Collectively, inquiries of this kind are known as Data Subject Access Requests (DSARs). Organizations have the responsibility to address them in a timely manner, usually within 30 days of receipt. The deadline can be extended in some cases, but most experts would agree that relying on such extensions is an unnecessary risk.
So comes the importance of establishing an efficient process.
Identifying the Team Members Who Should Handle DSARs
This can vary depending on the size and nature of your organization. If you’re a larger company, it would be ideal to appoint an individual or team to create and manage the process.
You should also ensure that they have the necessary knowledge and skills to do so. At a minimum, you’ll want them to be familiar with data privacy regulations in your jurisdiction, as well as any other applicable laws.
Creating a DSAR Process Flow
The team you’ve identified should then create a process flow that outlines the steps for handling DSARs. These steps can include:
- Receiving and documenting the request, including validating the requester’s identity
- Determining the scope of the request
- Collecting and reviewing relevant data
- Responding to the requestor
- Documenting all activities related to handling DSARs (e.g., contact logs, analysis results, etc.)
7. Appoint the Right People
They say a team is nothing without its people, and that statement couldn’t be any truer with respect to GDPR compliance. In most cases, organizations are required to appoint a special point of contact for GDPR, or even a Data Protection Officer (DPO).
This person can be either employed in-house or externally, but it’s important that they possess the relevant expertise when dealing with GDPR-related matters. This person’s diligence will be the difference between a successful GDPR compliance process and one of failure.
The appointed contact should have a good understanding of the organization’s data handling processes, from collection to destruction, in order for them to implement appropriate measures. They also need to be in a position to report directly to the company’s highest level of management.
According to Article 37(7), a DPO’s personal name and contact details can be made publicly available if an organization so chooses, but doing so isn’t necessary. Their information must be shared, though, with any relevant supervisory authorities.
8. Review, Review, Review
Even after all of the above is said and done, you’re nowhere near free of needing to worry about GDPR compliance. It’s an ongoing process that necessitates consistent review and investment.
Both site owners and Data Protection Officers should remember to keep an eye on the status of their Consent Management Platform and adhere to a compliance plan. Catching things early is key to avoiding big and potentially costly mistakes down the road. To that end, many find it helpful to establish a regular routine of ensuring the following bases are covered.
- Routine review of the CMP to ensure it is up-to-date with GDPR standards
- A regular audit of the organization’s data-processing activities
- A regular review of all policies and procedures related to GDPR compliance
- An evaluation process for any new technologies being used to store or process personal data
- Periodic training for employees involving GDPR topics and any changes that might have taken place since their last instruction
GDPR compliance is far from easy. But it’s still one of those things that all businesses need to know about in order to stay above board in today’s dynamic, digital world. Reading this article was a great first step in your journey. If you’re ready to take the next, register with CookieFirst. Our powerful Consent Management Platform helps website owners remain GDPR compliant in a matter of clicks – no technical knowledge required. Get started today!