GDPR Compliance Checklist; Questions, Concerns, and Requirements Addressed
What is GDPR?
European Union lawmakers have taken an enormous step towards protecting consumer information with the new requirements made in the General Data Protection Regulation (GDPR) compliance passage. It’s meant to take the place of, and re-enforce the EU’s Data Protection Directive (DPD). Unfortunately, for businesses and site owners it’s a horrible mess of legal terminology scattered across dozens of dry documents.
It’s hard to know where to start making changes in your personal data gathering processes to become compliant with the new laws. So we’ve compiled a hands-on GDPR compliance checklist that’s easy to follow.
That’s it in a nutshell. However, there’s plenty of questions swirling around that could use clarification.
GDPR Compliance Checklist
The most significant data management changes that GDPR brings to the table of organizations handling EU subject information are individual rights, internal privacy procedures, newly enforced supervisory authorities, and accountability measures. Every company is different and should consult a lawyer to assess which aspects are most relevant to your current data gathering initiatives.
It’s important to understand that many of the GDPR changes that organizations face are in a state of limbo. There won’t be a standard set of compliance practices in place until litigation cases begin to take shape.
In advance to those legal battles taking shape, there are multiple points you can begin considering in your steps towards GDPR compliance. Here are a couple of items to adjust within your organization’s digital presence.
- Consent is key.
- When a subject is about to submit their data on your site, your organization must double check that the subject has given their consent. Unlike previous laws, consent cannot be inferred from the users action of submitting an online form. You must provide a clear statement of affirmative action along with an opt-in or out option.
- Do not assume a pre-checked box acts as consent. Subjects must take action themselves and be aware of their right to revoke their information in the future.
- People have the right to be forgotten.
- Upon subject request, you must be ready to delete all user data. Not only does this need to be a practical option to internal data teams, but you must also provide subjects with appropriate contact information with which to make the request. This contact information can be a submission form, email address, or phone number on your site.
- The right to data portability.
- Upon subject request, you must provide a copy of their data in a common format so that it can be transferred to another entity. The same contact information is required for portability as the right to be forgotten.
- Access requests.
- All users can request access to their data unless it proves to be an unfounded request or at excessive cost to the organization providing the access. With these requests, organizations are not allowed to charge an access fee, and the hand-off must be made within a 30-day period of the claim.
- Privacy by design.
- When new technologies are developed, the organization must take privacy into account throughout the entire engineering process. This concept is an obligation when considering all data technology product life cycles. It’s a proactive measure to maintain data security.
- The seven guiding principles of privacy by design are listed out by Deloitte:
- Data Privacy Impact Assessment (DPIA).
- New technologies or new usage of old technologies will require a DPIA process to consider potential harmful impacts of subject data. This can and should include mitigation response to reduce the effect of a data breach or other prominent issues.
- When is a DPIA required?
- Data Privacy Officers (DPO)
- If your organization is a public authority, or if your core business carries out certain types of processing activities, you must appoint a DPO. The DPO is in charge of maintaining company compliance with all GDPR articles and can be appointed from within the organization or contracted externally.
- Does my company need a DPO?
- How do I register a DPO?
- The GDPR is about consumer data transparency. While most of us don’t scan through the endless pages of privacy policies, there is a requirement that your privacy documentation receives an update explicitly stating how the organization addresses data security, transparency, and access.
- As with the data submission opt-in, a cookie notice when guests enter your site stating data collection is in progress will not be enough. You must provide subjects with the option to opt-out of their data being gathered, and you cannot start mining data until they have given consent.
- Data Breaches
- All data breaches that are determined to be harmful to a consumer’s personal data must be reported to the Data Protection Commission (DPC) within 72-hours of the organization learning about the breach. The only exception is if the data was encrypted.
- If a data breach is determined to be harmful to the subjects involved the organization must make an effort to report it to the individuals directly.
- How do I report a data breach to the DPC?
- One-stop shop
- If your organization interacts with subjects across multiple European countries, the one-stop shop rule sets up a consistent set of GDPR procedures. You will only be required to work with the supervisory authority that is based within your Member State.
- Upon local supervisory authorities request, all organizations that act as controllers or processors of private personal data will need to demonstrate they’re within GDPR compliance.
When is the GDPR effective date?
The GDPR effective date was May 25th, 2018. It has come and gone, yet most organizations are still in limbo on whether they need to be compliant, or what being compliant even means. Do not wait to make changes to your data gathering procedures.
Who is subject to GDPR changes?
The simple answer, everyone. There is potential for any domain owner to have European Union visitors on their site. This means that at any given moment you can be subject to requests to provide or erase personal data to users. Just because your site isn’t based within the EU doesn’t mean you won’t be held accountable.
If you control or process information from EU subjects, your organization will be held to GDPR guidelines. The most straightforward course of action is to create an all-encompassing solution that treats all potential users as EU based.
Who is a data subject?
A data subject is anyone whose personal data is being processed.
Who is a data controller?
An organization that maintains and controls the data subject’s personal data.
Who is a data processor?
A third party organization that processes data on behalf of a data controller.
What is the risk of GDPR non-compliance?
The official fine can be a max 4% of global revenue or €20 Million (whichever is higher) for a GDPR infraction. There is a tiered approach to GDPR fines giving both processors and controllers slight leeway when it comes to minor offenses. The ‘lower level’ infractions can be 2% of global revenue or €10 Million and will be based on a list of appointed criteria or by which article is facing the infraction.
How does GDPR relate to the older “EU Cookie Law”?
They are very different. The cookie law merely put into place requirement that websites need to inform users when cookies are being used - useless for all parties. GDPR is far more reaching, requiring active viewer consent before any personal data is allowed to be collected.
Where can I find the GDPR documentation?
What is the definition of personal data according to GDPR?
This constitutes any information that relates to an identifiable person. If it can be used to directly or indirectly identify one of your users, it is considered personal data. For example, IP addresses in your Google Analytics or prospect names in your CRM.
What is a Data Protection Officer (DPO)?
If a business offers core operational activities revolving around the systematic processing of personal data (Facebook, Google, etc.) they will be required to hire a DPO who is charged with keeping the company within GDPR compliance.
Will GDPR make double opt-in mandatory?
No. There is no mention within the GDPR documentation of mandatory double opt-in mechanisms being required when emailing user lists. The single opt-in on submission forms or direct request will be sufficient as long as the data subject has taken an act of submission.
Where can I find the nearest supervisory authority?
A listing of regional GDPR supervisory authorities can be found at the bottom of this Data Protection Commission page.
How can I get help?
We support organizations with their digital presence and can help make websites compliant with certain GDPR regulations. Contact us and let us know what you’re struggling with.
*This information is not the same as legal advice. Bluehouse Group can help implement changes to your digital presence we do not make legal recommendations.
If you believe you are not within GDPR compliance we insist that you contact an attorney that specializes within the field. Do not rely solely on this information to make your GDPR compliance updates.