The General Data Protection Regulation (GDPR) is a European Union (EU) law that governs how organizations collect and use personal data. Any company operating in the EU or handling EU residents’ data must adhere to GDPR requirements. However, GDPR compliance is not necessarily a straightforward matter. The law outlines a set of data privacy rights for users and a series of principles for the processing of personal data. Organizations must uphold these rights and principles, but the GDPR leaves some room for each company to decide how. The stakes are high, and the GDPR imposes significant penalties for non-compliance. The most serious violations can lead to fines of up to EUR 20,000,000 or 4% of the organization’s worldwide global turnover in the previous year. GDPR regulators can also terminate illicit data processing activities and compel organizations to make changes. The checklist below covers the core GDPR regulations. How an organization meets these regulations will depend on its unique circumstances, including the kinds of data it collects and how it uses that data.
GDPR basics
The GDPR applies to any organization based in the European Economic Area (EEA). The EEA includes all 27 EU member states plus Iceland, Liechtenstein and Norway. The GDPR also applies to organizations outside of the EEA if:
– The company regularly offers goods or services to EEA residents, even if no money is exchanged.
– The company regularly monitors the activity of EEA residents, such as by using tracking cookies.
– The company processes data on behalf of a company based in the EEA.
The GDPR doesn’t only apply to businesses using customer data for commercial purposes. It applies to nearly any organization that processes EEA residents’ data for any purpose. Schools, hospitals and government agencies all fall under GDPR authority. The only data processing activities exempt from the GDPR are national security or law enforcement activities and purely personal uses of data.
Useful definitions
The GDPR uses some specific terminology. To understand compliance requirements, organizations must understand what these terms mean in this context. The GDPR defines personal data as any information relating to an identifiable human being. Everything from email addresses to political opinions counts as personal data. A data subject is the human being who owns the data. Put another way, it’s the person the data relates to. Say a company collects phone numbers to send marketing messages via SMS. The owners of those phone numbers would be data subjects. When the GDPR refers to data subjects, it means data subjects who reside in the EEA. Subjects need not be EU citizens to have data privacy rights under the GDPR. They merely need to be EEA residents. A data controller is any organization, group or person that obtains personal data and determines how it is used. Returning to a previous example, a company collecting phone numbers for marketing purposes would be a controller. Data processing is any action done to data, including collecting, storing or analyzing it. A data processor is any organization or actor that performs such actions. A company can be both a controller and a processor, like a company that both collects phone numbers and uses them to send marketing messages. Processors also include third parties that process data on behalf of controllers, like a cloud storage service that hosts a phone number database for another business. Supervisory authorities are the regulatory bodies that enforce GDPR requirements. Each EEA country has its own supervisory authority. Explore data security and protection solutions.
The GDPR compliance checklist
At a high level, an organization is GDPR compliant if it:
– Adheres to the data processing principles
– Upholds the rights of data subjects
– Applies appropriate data security measures
– Follows the rules for data transfers and data sharing
The following checklist breaks these requirements down further. The practical steps an organization takes to meet these requirements will depend on its location, resources and data processing activities, among other factors.
Data processing principles
The GDPR creates a set of principles organizations must follow when processing personal data. The principles are as follows.
1. The organization has a lawful basis for processing data. The GDPR defines the circumstances under which companies can legally process personal data. An organization must establish and document its legal basis before collecting any data. The organization must communicate this basis to users at the point of data collection. It cannot change the basis after the fact unless it has user consent to do so. The possible lawful bases include:
– The organization has the subject’s consent to process their data. Note that user consent is only valid if it is informed, affirmative and freely given. Informed consent means the company clearly explains what data it is collecting and how it will use that data. Affirmative consent means the user must take some intentional action to show consent, such as by signing a statement or checking a box. Consent cannot be the default option. Freely given consent means the company does not attempt to influence or coerce the data subject. The subject must be able to withdraw their consent at any time.
– The organization must process the data to execute a contract with the data subject or on the data subject’s behalf.
– The organization has a legal obligation to process the data.
– The organization must process the data to protect the life of the data subject or another person.
– The organization is processing data for reasons of the public interest, such as journalism or public health.
– The organization is a public authority processing data to perform an official function.
– The organization is processing the data to pursue a legitimate interest. A legitimate interest is a benefit the controller or another party could gain by processing the data. Examples include conducting background checks on employees or tracking IP addresses on a corporate network for cybersecurity purposes. To claim a legitimate interest basis, the organization must prove that the processing is necessary and does not infringe on subjects’ rights.
2. The organization collects data for a specific purpose and only uses it for that purpose. According to the GDPR principle of purpose limitation, controllers must have an identified and documented purpose for collecting data. The controller must communicate this purpose to users at the point of collection, and it can only use the data for this named purpose.
3. The organization only collects the minimum amount of data necessary. Controllers can only collect the minimum amount of data necessary to fulfill their stated purpose.
4. The organization keeps data accurate and up to date. Controllers must take reasonable steps to ensure the personal data they hold is accurate and current.
5. The organization deletes data when it is no longer needed. The GDPR requires strict data retention and deletion policies. Companies can only keep data until the specified purpose for collecting that data has been fulfilled, and they must delete the data once they no longer need it.
6. The organization takes extra precautions when processing children’s data or special category data. Controllers and processors must apply additional protections to certain types of personal data. Special category data includes highly sensitive data like a person’s race and biometrics. Organizations can only process special category data in very limited circumstances, such as to prevent serious public health threats. Companies can also process special category data with the subject’s explicit consent. Criminal conviction data can only be controlled by public authorities. Processors can only process this information at a public authority’s direction. Controllers must obtain a parent’s consent before processing children’s data. They must take reasonable steps to verify the ages of subjects and the identities of parents. If collecting data from children, controllers must present privacy notices in child-friendly language. Each EEA state sets its own definition of “child” under the GDPR. These range from “anyone under the age of 13” to “anyone under the age of 16.”
7. The organization documents all data processing activities. Organizations with more than 250 employees must keep records of data processing. Organizations with less than 250 employees must keep records if they process highly sensitive data, process data regularly or process data in a way that poses a significant risk to data subjects. Controllers must document things like the data they collect, what they do with that data, data flow maps and data safeguards. Processors must document the controllers for which they work, the types of processing they do for each controller and the…
Source link
