The General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018 and fundamentally changed the way businesses treat their customers’ data. Specifically, GDPR represents a data protection law which was passed by the European Union in 2016, and now affects corporations all over the world.
The aim of the law is to give European citizens more control over their personal data. In the eyes of EU regulators, too many corporations are managing customer information unethically, and a data protection law was badly needed. Importantly, GDPR applies to your business whether you’re located in EU or not, making it vital that you operate in a GDPR compliant manner.
Failure to comply could have devastating consequences. The maximum fine is either 20 million Euros or 4% of your company’s global revenue — whichever happens to be more. These fines are not just paper tigers; they have already forced Google to pay $57 million for GDPR violations, and Facebook faces a penalty of around $1.6 billion as well.
With that in mind, don’t believe that GDPR only affects large corporations. Fines are being handed out to SMEs, Non-Profit organizations and even hospitals. Everyone needs to understand, and comply with, the regulations set out by GDPR. Crucially, any data that can be used to identify an individual is within the remit of the law. This includes all information that is:
That is why we created the ultimate GDPR checklist for you! Let’s take a look.
1. Conduct a data management audit
The very first thing to do, is to conduct a thorough audit of how information is currently handled and stored in your organization. Upon closer inspection you will already find areas in which security could be improved, and the privacy of the customer enhanced.
To operate completely without reproach, it makes sense to maintain a detailed list of your processing activities and be prepared to provide this to regulators. Additionally, it’s wise to use a data protection impact assessment to fully understand how information is handled throughout your organization.
2. Get legal advice
Lawyers are often expensive but in the case of GDPR compliance they are well worth the money. You will need to provide a legal justification for the information that your business collects and stores. A layman is simply not equipped to do this, so make sure you receive solid legal advice.
GDPR emphasises the importance of transparency and requires businesses to explain what data is collected. Additionally, you should clearly state how data is processed and what security measures are being taken to keep it safe.
Of course, this information should be available as soon as possible, and it is not permissible to collect personal information without informing the individual first. Crucially, the explanation needs to be presented in an intelligible and concise manner. This is designed to prevent over-complicated “lawyer-speak”, and you should ensure to include the following information:
- Why you are processing personal data
- What kind of data you process
- Who has access to it in your organization
- Any third parties (and where they are located) that have access
- What you’re doing to protect the data (e.g. encryption)
- And when you plan to delete it (if possible)
4. Consider data protection at every step of the way
The EU’s Article 25 in combination with Recital 78 provide a “data protection by design and by default” model which outlines how to best ensure the safety of customer data. Indeed, integrating data protection into every organizational process is often the hardest step towards GDPR compliance.
Educating your employees is absolutely crucial, because otherwise GDPR will remain a feeble afterthought. On top of that, you need to ensure that you’re handling customer data correctly, and in accordance with Article 5. The point is that you and your employees should always be mindful of data protection.
5. Encrypt and obfuscate your customers information
It’s absolutely crucial to encrypt or pseudonomyze personal data whenever possible. There have been a litany of cases in which corporations failed to adequately encrypt their customers data.
In March 2019, Facebook admitted to storing millions of user passwords in plain text files, It was later revealed that the passwords were visible to thousands of Facebook employees, who could have gained access to people’s private accounts. This is exactly the kind of case that GDPR is designed to prevent.
To protect yourself and your business from this kind of fiasco, ensure that passwords and user information are always stored with a reasonable level of encryption. Also, be sure to evaluate the third party tools, like Salesforce or Pipedrive, that manage personal data.
On top of the encryption, the EU recommends making the data pseudonymous, meaning that people are more difficult to identify based on the information available in the database.
6. Create a security policy for your employees
Social engineering hacks are becoming more common by the day. Email addresses can be spoofed, phone numbers can be stolen and internal communication channels can be hacked.
As a result, it is crucial to create a security policy designed to guide your employees through the tricky waters of email security, passwords, two-factor authentication, device encryption, security phrases and VPNs. Employees who have access to personal data and non-technical employees should receive extra training in the requirements of the GDPR.
7. Know when to perform a data protection impact assessment
A data protection impact assessment is an excellent way of evaluating how your platform could jeopardize the safety of your users’ data. When done correctly, it also allows you to minimize risk and keep the data safe.
GDPR dictates that this assessment should be completed whenever you use a person’s data is handled in such a way that its “likely to result in a high risk to [their] rights and freedoms.”
Of course, this is a very liberal definition, so be sure to familiarize yourself with a data protection impact assessment as soon as possible.
8. Learn the procedure in case of a data breach
Data breaches are increasingly common and thousands of them occur every year. Under GDPR, it is your legal requirement to notify your supervisory authority within 72 hours of a breach occurring.
Unfortunately, there is no clear procedure for organizations located outside of the EU. The preferred course of action is to notify the Office of the Data Protection Commissioner in Ireland.
9. Designate accountability for GDPR to an employee
In an ideal world, you would be able to hire a specialist who is accountable for your organizations GDPR compliance. Depending on the size and scale of your business however, this might not be possible.
In such situations it is crucial to designate accountability to an employee or even take it upon yourself. Whatever the situation, someone in the business needs to monitor and enforce GDPR compliance internally.
This person should be given the tools to evaluate data protection policies and their subsequent implementation.
10. Sign data processing agreements
The larger your business, the more third party providers you will work with. Tools like Salesforce, Mailchimp, Pipedrive and Hubspot are good examples because they are popular and often manage vast quantities of personal data.
Under GDPR, it is vital to sign a standard data processing agreement with all third parties that are handling customer data. The agreement articulates the rights and obligations of both sides and helps to ensure that data is managed securely. Most service providers will have a data processing agreement of their own, but you can also use this template should you need one.
11. Appoint an EU representative
One of the more burdensome requirements laid out by GDPR is that organizations outside of the EU, should appoint an EU representative to talk to local authorities. The idea behind it is to keep all organizations accountable for the handling of customer data.
The reality however, is a bit more complicated. The law does not provide clear guidance for situations where your customer base is located in multiple EU states. As a US business, do you need a representative for every EU country represented by your customer base? Surely this would be inconceivable, but GDPR is too vague for this to be safely interpreted definitively.
12. Appoint a Data Protection Officer
As we work our way down the GDPR checklist you will have noticed that transparency and accountability are key components of the law. That is why it is highly advisable to appoint a Data Protection Officer who is knowledgeable on data protection and is tasked with enforcing it.
This should go hand-in-hand with point number 9, meaning your Data Protection Officer can also be the employee accountable for GDPR compliance.
13. Easily find and provide customer data
In 2014 the European Court of Justice passed the Right To Be Forgotten. Four years later, a businessman won a landmark lawsuit against Google, forcing them to remove search results which painted him in a bad light.
This was in many ways the starting point for user privacy on the internet. GDPR takes this a step further by requiring all organizations to be transparent with regards to user data. More specifically, a user should be able to easily request and receive all the information your organization has about them.
Under new EU legislation, customers have the right to see what personal data you have about them, and you need to provide the first copy of this information for free. Subsequent requests can be met with a reasonable fee however.
Finally, it’s important that the data be provided in an easily digestible way, ie. a layman should be able to understand it and even share it with other organizations.
14. Let users easily view and update their information
It should be easy for customers to view the personal data you have about them, and update it if required. You can achieve this by creating an interactive user dashboard and by implementing a data quality process, which regularly checks information accuracy.
The law suggests that users should not have to wait longer than a month upon request.
15. Users can easily request the deletion of their information
In most circumstances your users have the right to request the deletion of all the personal data you have about them. Should you receive such a request, it is crucial that the data can easily be found and deleted, ideally within a month upon request.
Importantly, there are some exceptions, such as the need to comply with a legal obligation or with freedom of speech. In such cases, it’s always wise to seek legal advice before making a decision.
16. Users can easily restrict or stop the processing of data
Not only should users be able to have their data deleted, but they should also be able to limit or completely stop the processing of personal data. In Article 18, Right to Restriction of Processing, the EU outlines the situations in which this right applies.
As always there are exceptions, but these are so vague that it’s crucial to use an information infrastructure with the capacity to limit or stop the processing of personal data. GDPR asks organizations to honour any request within the month.
Conclusion — GDPR Checklist
The 16 point checklist provides a detailed overview of your responsibilities and duties with regards to customer data. The key considerations should always be transparency and privacy. Of course, some points take longer than others but here are some immediate steps for your organization:
- Make your registration and sign up processes double-opt in
- Update your privacy and data protection policy
- Undertake a comprehensive information audit
- Update your employees permissions to ensure that customer data can only be viewed by relevant staff members
That’s all for today, you can download this blog post here.