By: Shimon Brathwaite
July 7, 2021
10 Tips For Compliance With GDPR
By: Shimon Brathwaite
July 7, 2021
GDPR stands for General Data Protection Regulation, and it’s a privacy law created by the European Union (EU) that has become effective as of May 25th, 2018. GDPR was designed in response to a need for more significant data privacy protection for citizens of the European Union. As the internet has become more popular, statistics say that every day 2.5 quintillion bytes of data are created. Due to the popularity of social media websites, online shopping, gaming applications, and many other online services that make our lives easier, we give up much of our personal information. Namely, our addresses, credit card information, first and last name, and other unique identifiers can link the information back to individuals. Data protection laws like the GDPR are essential because they regulate how companies can collect and use consumer information.
GDPR for Businesses
From a business point of view, GDPR regulates how your business can collect and use consumer information. In particular, it focuses on collecting personally identifiable information (PII), which is any piece of information that can identify an individual. However, GDPR also affects all companies collecting data from EU citizens regardless of where they are. Failure to comply with GDPR requirements can result in fines of up to 20 million euros or up to 4% of the offending company’s total revenue. These consequences don’t include potential lawsuits by individual citizens who may have been negatively affected by any failure to comply with GDPR. It’s also important to note that GDPR holds the organization responsible for the actions of any third-party vendors. Under GDPR, the company that initially collects the information is the data controller, and any third party that you share the information with for processing is called the data processor. The data controller is responsible for their compliance and the compliance of the data processors.
Tips for GDPR Compliance
Track the geographical location of your customers
Firstly, track where your customers are in the world. Next, you should identify EU citizens who fall under the protection of GDPR.
Always obtain consent
Your company must ask for consent in a clear way whenever you are collecting consumer information. Also, you can’t hide asking for permission in a terms and conditions agreement or any way that may be perceived as you trying to occult it. Additionally, when asking for consent, you should refrain from using complex language that a typical person may not understand or misinterpret. Lastly, your consumers should be able to withdraw their consent at any time during their transaction with your business.
When a data breach occurs, the business is responsible for notifying all affected customers or controllers within 72 hours. Data controllers are “the natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine purpose and means of personal data processing.”
Provide customers with a data profile
All of your customers should be able to get a copy of their existing data profile. A data profile means all of the data that your company has collected on that person. Customers should also have the ability to update their information at any time.
Customer’s right to data deletion
Customers should also be able to have their personal information deleted at their request. This means have all of their data deleted with no backups except where required by law. Customers should fulfill all requests to have their information deleted within one month of notification.
Customer’s right to data portability
Any information that your business collects or generated based on user behaviour should be available for customers to reuse. For example, take a smart device that measures how many steps you take, heart rate, calories burned, etc.
Have privacy by design
GDPR requires that companies design their systems to be secure by design to protect customer information. This includes encrypting/anonymizing personal data wherever possible, having a security policy, and having processes for notification should a data breach occur.
Appoint a data protection officer
All companies that handle EU consumer information should have a data protection officer appointed responsible for taking its citizen information. Depending on the company’s size, this may be a requirement, or it may just be a suggestion. You are required to do so if you meet one of these criteria:
- Public Authority- The processing of personal data is done by a public body or public authorities, with exemptions granted to courts and other independent judicial authorities.
- Large Scale, Regular Monitoring — The processing of personal data is the core activity of an organization that regularly and systematically observes its “data subjects” (which, under the GDPR, means citizens or residents of the EU) on a large scale.
- Large-Scale Special Data Categories — The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.
But whether or not you are required to have a data protection officer, all companies should have GDPR responsible.
Use security audits
Security audits are simply a test of your security controls to ensure you have the proper rules in place and work as expected. To ensure you are up to standard, it’s a good idea to have someone familiar with their expectations look at your security posture. While GDPR doesn’t explicitly require you to do audits, it’s worthwhile to find someone knowledgeable on its requirements to assess your infrastructure.
Hire an outside consultant
If you’re unsure whether you are meeting the requirements, it’s best to hire an expert in GDPR compliance. The professional can do this on a semi-annual basis or following a drastic change in business processes to advise you.
GDPR is a privacy regulation that protects the citizens of the European Union’s data privacy rights. GDPR affects all companies that collect citizen’s data regardless of where they are in the world, and it can result in heavy fines if you don’t comply. Therefore, to achieve GDPR compliance, you need to give your customer’s all of the rights and access to their personal information outlined in the points above and ensure security controls.