Knowledge - 05 July 2022 | By TermsHub
Updated at: 05 July 2022
Guide for becoming GDPR compliant
The General Data Protection Regulation, also known as the GDPR, is a piece of European Union legislation that guarantees people’s protection with regard to the processing of their personal data and the free flow of such data. Even though the GDPR is the strictest privacy and security law in the world, very few businesses adhere to all of its regulations. And that is a highly risky action. Entities who do not comply risk fines of up to €20 million, or 4% of annual global turnover (whichever is greater).
The GDPR requirements are clearly outlined in this article, which also offers a compliance checklist for new or already existing businesses.
Who Is Covered by the GDPR?
Any business, including those that are not based in the EU, that provides products and services to residents of the EU is affected by the GDPR. You can never be confident whether customers you deal with online are situated in the EU if you run an internet business. Because of this, all online firms ought to be, at the absolute least, GDPR compliant.
Both those who process the data and those who control the data receive access to personal information. Data controller is any person, public authority, organization, or other body that chooses the reasons for and methods for processing personal data, according to the GDPR. Data processor only processes personal data on behalf of a controller. Processors are not making decisions about how personal data is handled because they are just following the rules that a controller has established.
Steps to execute
The following steps will assist businesses for becoming GDPR compliant or re-evaluate already existing GDPR compliance levels and make necessary changes.
- Assess the relevance
It doesn’t matter if your business is located somewhere that it is exempt from the GDPR. If you have clients in the European Union, it’s likely that you store personal information, thus you must abide by the rules.
Therefore your first tasks is to assess whether the GDPR applies to you. According to a PwC survey, the European General Data Protection Regulation is one of the top priorities for 92 percent of U.S. firms. If you are 100% sure you have no businesses with EU or clients from EU, then this is not the case for you. However, don’t abandon it for good.
- Be aware of all the information you are gathering
You can’t control personal data if you don’t understand what kind of information is collected and how it moves via your internal systems. Things you need to know:
- Source. From where does the data come?
- What kind of data is collected. Name, email, phone, company name, location, etc.
- Why do you need this data. Making personalized offers? Advertising purposes?
- How the data is being processed. Where is it being stored? Who can access the data?
- Process of data disposing. For how long you are keeping the data? What should a person do that his data would be deleted? How much time it takes to delete the data?
- Data collection consent. Before collecting the data, you should provide some entry or agreement stating that the data is being collected. If the person accepts, for example cookies, then you have the right to store his data.
- Sensitive information. If you are collecting data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, it means you are collecting sensitive information.
- IP addresses. If IP address can be linked to person’s identity, then it is assumed as person data as well.
Those are very first important points to know and outline very well if you do not want to get a fine.
- Protect the data
Once all important information has been gathered, it needs to be protected. The majority of the General Data Protection Regulation’s provisions concern businesses maintaining or demonstrating the protection of their customers’ data. It is a given that you will be hacked or penalized if all client information is not found and kept safe.
For this, you could appoint a Data Protection Officer (DPO), however this is not a requirement for everyone. The person must be appointed by both controllers and processes to manage the data protection plan, according to an article of the GDPR. Be aware that even while processes only obey the data handling directives provided by processors, they are nevertheless expected to have a data protection policy. Organizations should appoint DPOs where their data processing operations are centralized. A DPO should be stationed in the member state where the company’s headquarters are if the organization is based in the EU.
- Data Protection Impact Assessment
You should only collect data that you absolutely need if you want to be GDPR compliant. The supervisory authority checking on your compliance will be alarmed if you amass sensitive data without a good justification.
A privacy impact assessment (IPIA) and a data protection impact assessment should be performed on all data requirements (DPIA). When the data collected is extremely sensitive, these impact analyses are required.
While conducting privacy impact assessment to identify any potential weak points is a good idea for all firms, it is not a requirement. For specific classes of enterprises that process information at “high risk,” this regulation is required. In fact, a number of GDPR regulations only take effect when a corporation processes data that is deemed to represent a “high risk” to the liberties and rights of the person to whom it relates.
- Be transparent and show consent
All the information you are gathering about your consumers ought to be disclosed to them. Secret data gathering will only result in a large non-compliance consequence.
Before any data is gathered, each data collection site must prominently show a data collection acknowledgement. For this you can use website forms with consent boxes included as well as show cookie collection notices.
Consent must be freely granted and implemented through a “opt-in” process. Automatically checking the consent box or requiring data subjects to “opt-out” of granting consent are no longer acceptable practices.Keep in mind that minors under the age of 16 cannot legally give consent without a guardian’s supplementary consent.
People have the freedom to change their minds at any time. To guarantee that the data subject’s requests are met promptly, your business will need to develop a regular procedure for handling such situations. Individuals have the right to request access to their personal data under the GDPR. This grants the right to view to data subjects.
- Report data breaches
A necessary GDPR requirement is immediate data breach notification. Both controllers and processors must notify data breaches within 72 hours, under article 33 of the GDPR. Data breaches must be reported by processors to controllers, who must then report them to a supervisory body.
- Keep your policies updated
These 7 steps provide guidance to start laying your GDPR foundation in the right and eligible manner. It is advisable to always keep up-to-date with GDPR updates and requirements so that you could peacefully run your business.