GDPR Simplified for Small & Medium Businesses
A comprehensive 50 point checklist for Product Managers
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union compliance meant to protect its citizens’ personal and sensitive data. GDPR is a regulation by which the European supervisory authorities aim to strengthen and unify data protection for all EU individuals.
GDPR applies to all European Economic Area (EEA) countries which includes the 28 EU countries, Iceland, Liechtenstein and Norway, and Switzerland. In all, 32 countries.
If an individual is from any of these countries, GDPR will protect them and your business is obligated to comply. The individuals whose personal and/or sensitive information is collected, stored or processed are called Data subjects.
The penalty for non-compliance can go upto €20 million or 4% of the organisation’s global annual turnover, whichever is higher. And, not to forget, it will cost you your reputation and loss of customer trust.
Is my organisation obligated to GDPR compliance?
The nature of your business is irrelevant to this question, just ask yourself 2 questions:
- Do you collect and store an individual’s personal data that is not publicly available?
- If yes, do you have customers in Europe?
If the answer to both these questions is Yes, then your organisation mandatorily has to be GDPR compliant by May 25, 2018.
Depending upon the nature of your business, your organisation will classify either as Data controller or as Data processor or both.
Personal data vs. Sensitive data:
Personal data: Any information that can directly or indirectly help identify a living individual, such as name, email, phone number, postal address, IP address, location, etc.
Sensitive data: Any information that can directly or indirectly affect the rights and freedom of the data subject, such as genetic or medical records, racial or ethnic origin, religious beliefs, sexual orientation, criminal record, etc.
1. Identify your European business, and the data subjects (the individuals who use your product day on day).
2. Identify the data subjects’ personal information being stored and/or processed.
3. Give all the Data Subject rights.
KEY IMPLEMENTATION AREAS and TASKS
GDPR’s basic expectation from organisations:
GDPR expects organisations to keep their data in control to ensure that it is accessed and processed only by authorized users and when required. This is data protection by design and default.
4. Always take consent for the purpose of data collection
5. Only process data for authorized purposes
6. Ensure data accuracy and integrity
7. Minimize data subjects’ identity exposure
8. Implement and document data security measures
Data Subject Rights:
I. Information to the Data subject
Your company would be attempting to collect data subjects’ personal information for lead collection, marketing opt-ins, trial of the product or service or sign-up for the service, etc. Make sure you communicate effectively with the data subject.
9. Inform the purpose of collection to the subject in every physical or electronic information collection form.
10. Where the information is used for more multiple purposes, add 2 checkboxes, one for primary purpose and the other for secondary purpose. Ensure this is stored in your database.
11. Take consent for storing cookies. Store the consent and time-stamp.
II. Access and Rectification
Data subjects have the right to access all the personal information your organisation stores about them, and can request to modify that information.
13. Make this information available on the profile page, with edit option.
14. For confidential/sensitive information, share the categories of information you store.
15. Give an email address your customers can write to for more information.
This is also known as Right to be Forgotten, and as the name suggests if a subject exercises this right, you are obligated to remove all their personal data.
16. Delete all the identified personal data from all your data lake and warehouse sources.
17. If deleting the data can mess up with your data models, anonymise the data. Remember anonymising the data should make the person completely unidentifiable by your organisational system.
A subject can restrict to her/his data being processed if the data is incorrect (till controller is able to verify information’s accuracy), the processing is unlawful, controller doesn’t need the data any longer but is maintaining it for legal purposes or the subject has objected to data processing.
18. Inform the subject when restriction is removed.
A subject can object to the processing of personal data for direct marketing purposes, including profiling.
19. Keep the access and rectification easily available
20. Maintain a marketing opt-out list
21. Double opt-in for German customers
Data subjects can switch from one controller to another at their accord, and the controller has to support the transmission of personal data in a machine-readable format, wherever possible.
22. Support migration to and from your product/service to other products/services of similar offering. This can be done via. software, API or manually depending on the technical and organisational measures.
23. Note that for all the rights, pass on the subject’s request to all your Data processors. Each processor is obligated to subjects’ rights.
Data controller vs. Data processor:
The Data controller is the body that determines the purposes and means of the processing of personal data. The business catering to customers is the Data controller if it determines the purposes for storing and processing a subject’s personal data.
The Data processor is a company or a person that maintains and processes personal data records as a part of offering their services to the Data controller. The Data processors for your business would be the third parties (tools or vendors) such as a cloud service, website analytics, lead collection tool, etc. And, if you are storing your customers’ customer data, you are a Data processor too.
If you are the Data controller:
24. List down all the Data processors (third-parties) and the personal and sensitive data being shared with the processors. I would recommend using GDPR compliant processors.
25. Sign a Data Processing Agreement to ensure the data is processed as per your organisation’s requirement
26. On all these tools, enable the data collection consent
27. Create a data flow map of all the sources you are dumping data into your servers
28. Create a checklist for Vendor Selection
29. Document the categories of personal information being stored and processed, along with the retention period and disposal plan (This is the Data Retention Policy for your organisation)
30. Write a script to inform the processors each time a subject exercises a right
31. Store processors’ confirmation of request with time stamp
33. Wherever possible, pseudonymise the personal data
34. In case of breach, inform the supervisory authorities and the affected data subjects within 72 hours of becoming aware of the breach (This is the Breach Management protocol)
35. Prepare a data hosting and transfer policy
36. If you transfer and store data outside of EU, comply with Model Clauses, Binding Corporate Rules or the Privacy Shield.
If you are the Data processor:
37. Process personal data only for authorised purposes
38. Help your customers with their subjects’ rights wherever requested
39. Do not engage another processor without authorisation/notification to the controller
40. Maintain records of processing activities
41. If you don’t have an EU representative, hire one (under Article 27) to communicate in case of a breach
42. In case of breach, inform the data controller within 48 hours of becoming aware of the breach (This is the Breach Management protocol)
43. Maintain a breach log, with details such as breach date, impact, number of subjects affected, type of data breached, remedial action, breach notification
Remember: The publicly available documents should consist of the executed points, and not the estimated to be completed points.
Data Protection Officer (DPO):
The appointment of a DPO is necessary for organisations that process personal data regularly and/or on a large scale.
44. DPO role and responsibility document
45. Update DPO contact on the website and other relevant documents
46. Each employee signs the confidentiality agreement
47. Create and share the Security document on your website
48. Create the Data protection policy
49. Train all the teams on data privacy and protection
50. Define information security risk assessment methodology and perform periodic risk assessments.
A word of advice: If you are not GDPR compliant by May 25, 2018, pause your business operations in Europe till you become compliant. Especially:
- Don’t send any marketing emails to Europeans
- Don’t process any Europeans’ personal data
- Don’t record calls or videos
- Don’t place cookies on any website visitor without consent. You can place only essential cookies without individual’s consent
- Pause all lead collection forms for Europeans
Disclaimer: I’m not a lawyer. This article is based on my knowledge, understanding and execution of GDPR.