Not everyone can be a GDPR compliance specialist, but that doesn’t mean you should ignore data protection and privacy, especially if you run a business. Even though much talk has been made about GDPR compliance, being GDPR-ready is not a one-time project. It’s an ongoing approach to business.
Trusting the people we share our data with (looking at you, Facebook!) is a big part of how we do business online. When a company needs personal data to run its service, the user should be aware of why and how it is used so they can decide upon the service.
This is why GDPR puts more responsibility on organizations and increases the rights of individuals.
Some consultants we talked to say that there is no such thing as being 100% GDPR compliant. It’s more about taking a look at data and processes from an “ethical” standpoint and not as much about “tools” or “checklists”.
So, don’t search for a template; each organization has its way of doing things. Try to develop efficient data protection and privacy strategy based on your scenario. This guide is just a starting point with a high-level and general approach. Ideally, you will need to dig into each area of your business and look at how you collect, process, disclose, store and delete data.
💡 This guide is purely for guidance and does not constitute legal advice or legal analysis. Organizations may need to seek independent legal advice for specific legal issues or queries.
Do I need to be GDPR compliant?
The General Data Protection Regulation (GDPR) encompasses several European privacy laws. However, these restrictions and guidelines don’t only apply to European businesses and websites.
Technically, everyone should comply with the GDPR due to the wide scope of the regulations. Still, there is some flexibility in their interpretation.
For instance, if your business is based in the European Union and targets European customers, you’ll need to meet the requirements of the GDPR privacy policy.
If your website is based outside the EU and only receives the occasional European visitor (but doesn’t explicitly target them), this is a slightly different matter. However, to be on the safe side, it’s still worth making your website GDPR compliant.
For more information on these regulations, we recommend checking out this article on location-based compliance with GDPR. This way, you can make an informed decision, one which safeguards user data and protects your business against potential fines and legal action.
6 steps to ensure GDPR compliance
Here are six steps to meet the GDPR compliance requirements on your website!
Step 1: Know the key concepts and articles regarding GDPR
Being GDPR compliant is not just about “fixing a website”. It’s part of your entire organization.
There are only a few situations where businesses don’t process information. In most cases, there are different levels of key personnel (HR, IT, marketing, security teams) that interact with customers’ data and, therefore, should be aware of the General Data Protection Regulation. It isn’t a one-person show. You need both technical and legal implementations.
Understanding the terms is a big step. Here are some that we will use in the guide and will help you navigate GDPR:
- Data subject – a natural person whose personal data is processed by a controller or processor.
- Data controller – the entity that determines the purposes, conditions, and means of processing personal data.
- Personal data – any information related to a natural person or Data Subject that can be used to directly or indirectly identify the person.
- Data processor – the entity that processes data on behalf of the Data Controller.
Next, get yourself familiar with the articles below. This will make your transition to the GDPR less difficult.
- Art. 5: Principles relating to the processing of personal data.
- Art. 6: Lawful bases of personal data processing.
- Art. 12 – 22: Data subject rights (access, data portability, right to be forgotten, etc.)
- Art. 25 & 32: Companies should implement the necessary protection measures to protect the personal data of the data subject.
- Take your time to read the law.
- Check out our Complete WordPress GDPR Guide.
- Process user data carefully. Treat it as you would treat trade secrets.
- Evaluate your products, services, tools, providers, etc., according to GDPR dispositions.
- Brief your collaborators on GDPR risks and benefits.
Step 2: What to do for GDPR compliance now
You should take action in a handful of different areas:
2.1. Data mapping
An important step towards compliance with GDPR is understanding how data moves in your organization. Documenting the way information flows in your company by making an inventory helps you demonstrate that you comply. A good starting point should be this data map: GDPR Data Map Template.
Mapping the data flow will also help you identify areas that could cause GDPR compliance problems. Remember that processing operations can be conducted only if the data controller can rely at least on a lawful basis. The most appropriate lawful basis will depend on the personal data being processed and the purposes for processing.
2.2. Privacy Policy
Review and update your current Privacy Policy. This is the first place people will look to check for GDPR compliance.
You must communicate to individuals the legal basis for processing the data, retention periods, the right to complain when customers are unhappy with your implementation, whether their data will be subject to automated decision-making, and their rights under the GDPR.
Furthermore, you must provide the information in concise, easy-to-understand, and clear language.
2.3. Training
The GDPR is a business change project – the people you work with need to understand the importance of data protection and be trained on the basic principles of the GDPR and the procedures being implemented for compliance.
Share this article with people that need to be informed.
- Map and document data streams performed by data processors.
- Be fully transparent to the user who is giving up their information.
- Give informative notice to your employees, vendors, and clients per Art. 13 of GDPR.
- Configure your consent method to use explicit/active consent when processing sensitive personal data on your website.
Step 3: GDPR compliance steps to take next
Data controllers should always cooperate with the Supervisory Authority regarding the fulfillment of their tasks.
Schedule regular audits of data processing activities and security controls in your organization. Keep records of personal data processing up to date for proof of consent.
3.1. Check what other vendors are doing
Because GDPR has no clear-cut rules, the market will have to devise different tactics to ensure that data is in compliance but not sacrifice user experience. A lot of companies came out with new features, so be sure to check competitor websites for changes and best practices for your niche.
3.2. Report data breaches
You should make sure you have the right procedures in place to detect, report, and investigate not only internal but also external data breaches. Be smart while setting up the data breach matrix based on data breach severity, the number of data subjects affected, the type of personal data involved, etc.
Typically, you must report data breaches to the Supervisory Authority within 72 hours unless the personal data was anonymized or encrypted.
3.3. Continue working on operational policies, procedures, and processes
As mentioned before, privacy is not a one-time project. It is continuous work to make sure that the data you collect is safe and used with a proper scope. You should review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
- Design data breach reporting mechanism.
- Bring all the internal procedures in line with the GDPR and privacy policies.
- Review and update employee, customer, and supplier contracts.
- Secure personal data through appropriate organizational and technical measures.
- Verify if data transfers outside the EU are compliant with GDPR requirements. Do not forget about the transition points.
Step 4: Website adjustments
This topic is a little bit controversial, especially for developers and marketers. I would say that adjusting forms and getting consent for cookies should fix 80% of the issues. However, keep in mind this is not legal advice.
4.1. Opt-In Forms
This is the standard way businesses gather information, so you must adjust all the forms you use. There isn’t a consensus on how to best do this, but we are following our email service provider’s recommendations.
4.2. Cookie Consent
The short version: inform your visitors in plain language about the purpose of your cookies and trackers before setting anything other than strictly necessary cookies.
There are different ways companies implement this, and the GDPR reference to cookies doesn’t clear things up. Sure, there are so-called functional cookies that are used for a session, but you need specific consent to set a cookie to track the user.
You need to know here that another European regulation (ePrivacy) is coming out, which will legislate cookies even more.
Step 5: Other GDPR compliance issues to consider
Here are other aspects of the GDPR that are no less important:
5.1. Data transfer and disclosure
Eyes on personal data transfer. Make sure that your data processors will ask for your approval whenever they intend to transfer data outside the EU/EEA. The same rules apply when the data processors intend to subcontract part of the services they provide.
5.2. Data Protection Impact Assessments (DPIAs)
The GDPR introduces mandatory DPIAs for organizations involved in high-risk processing, such as deploying new technologies, a profiling operation likely to affect individuals significantly, large-scale monitoring of a publicly accessible area, etc.
5.3. Legitimate Interests Assessments (LIAs)
Unlike DPIAs, LIAs is just a best practice developed mainly by privacy specialists. It refers to all those situations when the data controllers seek to rely on legitimate interests (marketing operations, etc.). An “interest” can be considered “legitimate” as long as the data controller can pursue this interest in a way that complies with data protection and other laws.
5.4. Data Protection Officers
The GDPR will require some organizations to designate a Data Protection Officer (DPO). Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations that process what is currently known as “sensitive personal data” on a large scale.
5.5. Processing Children’s Data
If your organization processes data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians. GDPR has some specific provisions for children under 16 years old (please note art. 8 of GDPR)
Step 6: Monitor and audit
Businesses must acknowledge that being transparent about how data is used and protected is now required by law. Each organization (including charities and public sector entities) must define a scope for collecting specific data.
You should only collect the personal information needed to provide the service or product and nothing more. Also, the data should not be shared for other unrelated purposes.
Another big thing is to keep the data safe from hacking, accurate, and up to date, and even delete it after a period.
General Data Protection Regulation is leaving lots of room for improvement when it comes to protecting individuals. This is why the future ePrivacy Regulation will bring even more transparency, especially in Big Data, shedding some light on the occurrence and purpose of analytics. This should be a good enough reason to monitor and audit your data regularly.
Don’t stop here. Go to the official resources we used for this guide and learn about privacy.
Conclusion
In the end, there are levels of compliance, and you should decide which one fits you based on a lot more factors than the ones listed here. However, this is a great start to get you going in the right direction and toward GDPR compliance. Of course, as a business, we all need to keep ourselves competitive in the marketplace, so there will be some trade-offs.
How are you preparing for GDPR compliance? Share your best practices in the comments section below!
Thanks for the article Claudiu. Really appreciate it.
That is really interesting
Smile We all love reading and We all are always searching for informative
information like this!
CD I just read how WordPress included that nifty comment disclosure – below comments – with its latest update. So smart. Would do the trick for me because I don’t grow a list, and only store data via comments published on my blog.
Ryan