Tips & Tricks for GDPR compliance
- Start preparing now
If not already, start preparing immediately.
- Context
The regulation is based on three main ideas: the protection of personal data, the protection of human rights and freedoms in protecting their data, limiting the movement of personal data within the European Union.
- Raise awareness across your organization
GDPR was urging organizations to start preparing for it as soon as possible. Now it is already in effect, however many are not prepared or did not prepare sufficiently. Later can be seen by incompliance penalties issued by the Information Commissioner.
Key people and decision-makers need to be aware of GDPR legislation, so they can understand the potential impact and identify areas that require attention for compliance. Start by looking at your risk register, if you have.
- Audit personal data
Document what personal data you hold, where it came from and who you share it with. The GDPR makes organizations responsible for proving they comply with the data protection principles, for example by having effective policies and procedures in place.
If you become aware that you’ve shared inaccurate personal data with other organizations, it is your responsibility to inform the other organization about this inaccuracy so it, too, can correct its own records.
Any data which can be used to identify an individual, or links to identifying information, is considered as "personal data" and falls under the GDPR regulation.
- Get rid of data you no longer need
‘Cleaning’ your data helps focus on the important information and metrics used to create value between a business and its consumers.
The process will also help you stay compliant with GDPR requirement for limited storage period and processing consent.
- Update your privacy notice
When you collect personal data, you probably use a privacy note containing information such as your identity and how you intend to use their information. Under the GDPR you need to tell people some additional things, such as:
- your legal basis for processing the data
- your data retention periods
- their right to complain to the ICO if they think there’s a problem with how you’re handling their data
- Review your procedures supporting individuals’ rights
The key thing here is to make sure you have the procedures in place so you can comply with, for example, an individual’s request to provide them with the data you have on them electronically and in a commonly used format.
The main rights for individuals under the GDPR are to:
- allow subject access
- have inaccuracies corrected
- have information erased
- prevent direct marketing
- prevent automated decision-making and profiling
- allow data portability (as per the paragraph above)
- Review your procedures supporting subject access requests
Subject access requests could generate a logistical/administrative headache for many businesses.
You are unable to charge for complying with reasonable requests, and will have just a month to comply. There are also different grounds for refusing to comply with a subject access request, and if you refuse a request you need to have policies and procedures in place to demonstrate why the request meets these criteria.
- Identify and document your legal basis for processing personal data
You need to understand the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
- Review how you seek, obtain and record consent
If you rely on individuals’ consent to process their data, make sure it meets the standards required by the GDPR. If not, alter your consent mechanisms or find an alternative to consent. The GDPR is clear that data controllers must be able to demonstrate that consent was given.
You may need to review the systems you have for recording consent and ensure you have an effective audit trail.
- ‘Unambiguous consent’ will affect marketing
One of GDPR’s headline rulings is the introduction of ‘unambiguous consent’ before user’s personal or behavioral data can be used for marketing purposes. As part of initial contact with individuals, it is important they understand every aspect of what they are agreeing to when giving up information about themselves.
- Review the data you hold on children
GDPR has special protection for children’s personal data. If your organization collects information about children under the age of 13, you need parental/guardian consent to process their data lawfully.
- Establish procedures to detect, report and investigate a personal data breach
The GDPR requires that all organizations notify the ICO of all data breaches where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.
You need to set up processes to detect, report and investigate breaches.
The failure to report a breach could result in a fine, as well as a fine for the breach itself.
- Test data breach response procedures
There is a 72-hour limit for notifying a local data protection authority (DPA) of a data breach that could result in harm to data subjects. GDPR mandates affected subjects be notified "without undue delay." Regularly test breach management procedures and responses to data subject requests to ensure employees can meet these deadlines. They should know how to identify and report a data breach internally, and it should be clear whose responsibility it is to communicate with the DPA and customers.
- There are no boundaries
If your business collects data in the EU about EU citizens, the GDPR regulation applies, regardless of where you are located.
- Transferring outside EU
Serious restrictions for transferring data to third countries. The European Commission determines which “third” countries or which sectors or organizations in these countries are allowed to transfer personal data to.
- Review your processes around Data Privacy Impact Assessments (DPIAs)
In a high-risk situation such as a new technology deployment, or where operations are likely to significantly affect individuals, you may be required to carry out a privacy impact assessment (PIA)
Think about where it might be necessary to conduct a DPIA in your organization. Who will do it? Who else needs to be involved? Should the process be run centrally or locally?
- Appoint a Data Protection Officer (DPO)
If your organization employs 250 or more people, is a public authority or is involved in the regular and systematic monitoring of data subjects on a large scale, you should appoint a data protection officer. The DPO should take proper responsibility for data protection compliance and have the knowledge, support and authority to do so effectively.
- GDPR compliance by design
If you design all the GDPR processes to fit the regulation, you’ll only have to do it once for it to be right. GDPR is a long-term outlook for companies to regulate the data collected from customers. The Internet of Things and Big Data is not a movement, it is an evolution of how people connect and engage with each other and their physical surroundings. Getting GDPR compliant by design from the get-go ensures you only need to read tips once and get your business ready for the GDPR.
- Use GDPR compliant software
Many software, especially cloud service providers, have been busy updating their apps and software to be compliant with GDPR legislation. Make sure you speak to your current or chosen provider to see how their software works with GDPR compliance and see what tips they have to help you manage your data effectively.
Important question for cloud providers is where do they store your data (have datacenter) - inside or outside of EU.
Practical implementations for GDPR compliance
Public pages
- Privacy policy - core document where you present your compliance with GDPR such as:
- Which personal and non-personal information you collect
- Why do you collect it
- How long is it stored (it should not be stored longer than necessary for the purposes for which it was collected)
- International transfer to other countries
- User's rights regarding their data
- How the data is protected
- Legal address, contact information and contact information for DPO
- Terms & conditions
Registration page
- Data minimization - fields for data collection should be minimal and only for necessary information
- Clear consent option
- Terms and Conditions, and Privacy Policy checkbox
- Marketing checkbox, if you plan marketing activity
User profile page
- User should be able to change / correct his data (directly or indirectly)
- User has the right to delete his account (directly or indirectly)
- Right to restriction of processing. When requested by user, his personal information should no longer be available in public access, for other users and even system administrators.
- User has the right to have his data exported and/or transmitted to another controller.
- Granular consent. Controller must be able to demonstrate received consent.
- Possibility to give / withdraw consent for specific actions (e.g. marketing mail)
Aditional functionality
- When data is no longer needed it must be deleted or anonymized
- Controller must notify all other processors of user's data about actions mentioned above (request for change, deletion, restriction of processing, etc.)
Organizational measures for data protection
- Important policies and documents
- Data protection policy
- Records of processing activities
- Security incident response policy
- Data retention policy
Nice to have policies (can be combined into one or more documents)
- Disaster recovery and business continuity
- Data disposal policy
- Backup policy
- Employment process
- System access control policy
- SLA
- Software development lifecycle policy
- Escalation procedures
- Cryptographic control policy
- Coding standards
- Rollout procedure
Technical measures for data protection
GDPR does not specifically say what measures you have to implement, however it requires that the controller implements appropriate technical and organizational measures.
- Access control (physical and technical)
- Encryption of
- Data at rest (whole disk, database encryption)
- Data in transit (HTTPS, IPSec, TLS, PPTP, SSH)
- Backups
- Firewalls
- VPN access
- Intrusion detection
- Intrusion prevention
- Health monitoring
- Password requirements
- 2 factor authentication
- Antivirus
- Other measures, depending on the system in use
Specific points, which may require the involvement of lawyers
- GDPR prohibits processing of special data by default. However if you meet one of article 9(2) statements, you can continue to process it.
- Authorized representative must be appointed for controllers or processors that are not registered in EU area.
- Controller is responsible for his subcontractors. They must comply with GDPR, regardless of where they are.
- Subcontractor must not use services of another without the written consent of controller. Of course, this only applies to the scope of controllers cooperation.
- Serious restrictions on data transfer. This also applies to data storage in case of cloud service providers.
- Data Protection Officer (DPO)