A simple guide on how to be GDPR compliant
What is GDPR?
The General Data Protection Regulation (GDPR) is a data privacy legislation introduced and approved by the European Commision and European Parliament, which went into effect in May 2018.
The GDPR provides rules and guidance to both European and non-European companies that collect, share, and manage data of their European users. It gives EU residents the right to know what data is collected about them as well as how it’s stored, protected, and transferred. The GDPR also includes the right to be forgotten and the right to access. That means customers can request to see the collected data and ask for it to be deleted.
Do I need to be GDPR-compliant?
All companies that collect data of users in the European Union, no matter where they are based, must comply with the GDPR. Non-compliance could result in hefty GDPR fines, which are up to 20 million euro or 4% of annual worldwide turnover, whichever is bigger.
Protecting your users’ personal information by following the GDPR will affect the whole company as most of your procedures may have to be revised and adapted. However, there are no clear rules that would apply to every single organization. How to protect data will depend on the type of data your company processes.
Some GDPR consultants say that there’s no such thing as being 100% GDPR-compliant and meeting GDPR requirements is more about reviewing your data handling and processing activities from an ethical standpoint, rather than ticking boxes on a checklist. A good starting point is going through 7 principles of the GDPR.
7 principles of GDPR
Lawfulness, fairness, and transparency. Data should be processed in a lawful, fair and transparent way;
Purpose limitation and data minimization. Data should only be collected for specific and legitimate business purposes.
Accuracy. All efforts, where necessary, should be made to keep the data up to date. If data is inaccurate or outdated — it should be deleted.
Storage limitation. The data should only be stored for the amount of time needed to provide products or services. It can be kept for longer only for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes.
Integrity and confidentiality. The company should do all they can to ensure the security of personal data. They should protect it from unlawful access such as data breaches, as well as accidental loss, destruction or damage.
Accountability. Most companies are required to keep records of data processing and are required to present them to supervisory authorities then needed.
How to be GDPR-compliant
Please note that the following information should only be taken as rough guidance. It is intended for general information purposes only and does not constitute legal advice. The GDPR legislation consists of 11 chapters, 99 articles, and nearly two hundred recitals, so to fully comply with the GDPR, we suggest getting legal advice from your legal counsel or the supervisory authority.
Review all your data handling procedures
Sit down and draw a map of how your company collects data from start to finish of your customer journey. It should help to identify points that need closer inspection. For example:
You may need to review your mailing and emailing lists. If you do not have legitimate grounds for processing your customers' data for marketing or other purposes, you cannot use such personal data. See if it is useful to create segmented lists for your European customers;
You need to check if you have legitimate grounds (e.g., consent, legitimate interest) for processing personal data for all different data collection channels, including events, newsletter subscriptions, or even paid lists;
Review your future EU marketing campaigns that might aim to collect user data — you may need to adapt the processes.
At this stage, it’s also advisable to appoint one person (or the whole team) in your marketing department to consult with lawyers who specialize in the GDPR. This person or team should work closely with a data protection officer (DPO) if the DPO is appointed in the company. They will be able to review and approve your marketing campaigns.
Make your website GDPR-friendly
If you have a website, you’re no doubt collecting data in one way or the other. To make your website comply with the GDPR, you should consider:
Including a cookie consent. All web forms should have a cookie consent informing visitors on the type of data you collect and giving them an option to opt-in if they agree to such tracking.
Creating age-verification. If your visitors are younger than 16 (the age limit might be different in some EU countries), the GDPR requires their parental consent to collect data. Make sure to include such verification.
Update your data collection forms. These should state in an easy-to-understand language what data is being collected and for what purpose. (A full list of what information needs to be presented to a user can be found in GDPR Articles 13 and 14.) If your company operates outside of the EU, you should also consider adding the ‘Country of residence’ field, so you could separate your databases if needed.
Update your current database
It’s advisable to update your database regularly. You can do so by sending your customers an email with an option to choose what type of information they want to receive. Then it’s more likely your customers won’t unsubscribe altogether. Any correspondence should also include an ‘Unsubscribe’ or ‘Update your preferences button.’
Also, don’t contact users who have previously unsubscribed. It’s prohibited by the Privacy and Electronic Communications Directive.
Be prepared for the worst
In case of a breach, the GDPR requires to report it within 72 hours (with some exceptions). Thus it’s a good idea to prepare a data breach plan and educate your employees on what to do in such circumstances. You should consider:
How your customer-facing employees should respond to customers;
How you will handle social media channels and will you have enough staff to respond to all messages;
What channels you will use to inform the affected parties, like your customers and vendors, if necessary;
How you will inform the media and what channels you will use to provide updates;
How you will communicate about the breach internally;
What procedures you have in place if your customers want to file complaints or get refunds;
How you will ensure that this doesn’t happen again.
The GDPR isn’t a one-off project and you shouldn’t treat it as such. It is about continuously working on improving your company’s privacy and security standards.