How to Comply with GDPR

Do you own a website or an app that serves EU customers? Is it GDPR-compliant

This article will not only help you get a better understanding of the GDPR, but will help you comply with this regulation by providing a quick guide that you can use to make sure your compliance plan covers everything it needs to.

The GDPR was adopted by the European Parliament on April 27, 2016. At that time, businesses (including online businesses) were given a transition period of two years to fully comply with this regulation. On May 25, 2018, the GDPR went into enforcement.

This privacy directive is both comprehensive and specific. Containing 99 articles, the GDPR gives very precise instructions about how companies will handle user data under the GDPR. It gives the users (in this case, the EU citizens) certain rights concerning their data.

Any website, web app, mobile app, or desktop app that collects or processes the data of EU citizens falls under the jurisdiction of the GDPR.

How to Comply with the GDPR

To get you started with your GDPR compliance, we have formulated a list of 14 steps:

1. Raise Awareness

Start by raising awareness in your workspace about the GDPR and how it will affect your business. Assess what steps you will have to take to properly implement this regulation.

Hold informative meetings, have employees read articles and make sure everyone is aware of changes that will be taking place at your organization.

2. Document

Under the GDPR, you are required to show how you implement this regulation in your business workspace. For this purpose, you must keep a record of the customer information you hold, where you obtained the data from, and to whom you will transfer it to. In addition, you may have to conduct a data audit in your company.

From beginning to end of compliance implementation -- and well into the future -- documenting is going to be very important under the GDPR.

3. Share Your Privacy Policy

The GDPR requires you to post your company's Privacy Policy on your website. Make sure your Privacy Policy includes the following information:

  • Who you are
  • How you collect and use personal data
  • The legal reason for obtaining and processing the data
  • The duration of processing of their data
  • The users' right to restrict your processing of data

4. Know the Rights of Individuals

Your customers have certain rights regarding their data. Under the GDPR, your customers can in most cases:

  • Request access to their data
  • Request to stop the processing of their data
  • Request to send them their data, or transfer it to a third-party
  • Use their right to object to processing their data
  • Request to correct their information
  • Request information about their personal data or any other supplementary information
  • Request to delete their data

You must address and abide by these user rights.

5. Handling Subject Access Requests

The GDPR requires you take necessary steps to grant requests of your customers within 30 days of the initial request (or two months if the request is complicated). Also, ensure that you are able to provide the customers their information free of cost (a reasonable fee can be charged if the request is excessive).

6. Establish a Legal Reason, or Basis, for Processing Customer Data

You will have to inform your users about the legal reason for processing their personal data. Start out by identifying the legal basis and notifying your users through your website's Privacy Policy agreement.

7. Obtain Explicit Consent

Under the GDPR, if you use consent as your legal basis for collecting data, the consent must be plain and explicit consent of the user has to be obtained before you collect or process personal information. In addition, you must make sure that the customer is completely informed about how you will be using their data. The use of some types of cookies also now requires consent.

8. Take Measures Concerning Children

If you have users that are children, you must ensure that the Privacy Policy agreement on your website is written in words understandable to kids. You must also take required measures to gain parents'/guardians' permission before processing the data of children.

9. Handle Data Breaches

The GDPR requires you to take steps to detect and investigate data breaches. You must also document any breaches that occur and notify both users and the appropriate authorities about breaches that occur.

10. Data Protection Impact Assessments

You will have to organize a data protection impact assessment of your data processing facilities. This will let you see where any weaknesses are in your environment that may lead to a data breach. It is generally a requirement in high-risk situations and will help you stay informed about the repercussions that can occur if your data is compromised.

11. Appoint a Data Protection Officer (DPO)

Under the GDPR, you may be required to appoint a Data Protection Officer whose job it is to ensure compliance with the data and privacy guidelines, as well as to monitor the data processing activities in your company.

Determine whether you need this role or not and take the appropriate steps if you do.

12. Attn: Businesses That Operate Internationally

If your business operates internationally, identify which data protection supervisory authority your business is answerable to. Under the GDPR, your business will be subjected to the data protection supervisory authority of the country/region where the decisions about data processing are made or where your main administration is based in.

You also may need an EU Representative in some cases.

13. Have a Privacy Policy

The GDPR requires you to place a Privacy Policy on your website which informs your users about:

  • What data you gather and how you gather it
  • Why you gather that data
  • For what purpose you use that data for
  • How you protect that data
  • Do you share that data with any other party
  • Do you use cookies to gather user data
  • How your users have control over their data

In addition to the above information, include the following points in your Privacy Policy agreement to make it GDPR-compliant:

Who Your Data Controller Is

Clearly specify whether you control customer data or you process data for another company.

Let's look at how Amazon does it:

Amazon UK Privacy Notice: Controllers of Personal Information clause - GDPR

In this example, Amazon states that any data that it collects is controlled and processed by Amazon and its subsidiary companies.

Contact Information of the Data Controller

You should always provide information for how your users can contact you.

Here's how CheckMarket does this:

Checkmarket Privacy Policy: For Further Information clause contact information

CheckMarket provides its email as well as physical address to its users.

Inform Users of the 8 Rights They Have Under the GDPR

Under the GDPR, you are required to inform your customers about their 8 rights, which are as follows:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision-making and profiling

An example of this is Towergate's Fair Processing Notice:

Towergate Fair Processing Notice: Your Rights clause

Whether Providing Data Is Mandatory

As a business owner, you are required to inform your customers about whether it's mandatory or not to provide the data you request.

Here's how Apple lets users know that it isn't mandatory to provide information and what will be affected if a user chooses not to do so:

Apple Privacy Policy: Collection and Use of Personal Information clause - not mandatory to provide section highlighted

Whether You Transfer Data Internationally

If you transfer customer data to another country or an international company, you have to inform your customers about it in your Privacy Policy agreement.

Here's how JFrog discloses this:

JFrog Privacy Policy: International Data Transfer clause

You should include the legal framework and safeguards that you use or fall under when it comes to international data transfers. For example, here's how Instructure includes this information in its GDPR policy:

Instructure/Canvas GDPR Policy: Safeguards for Cross-Border Data Transfer clause

What's Your Legal Basis for Processing Data

As a business owner, you are required to inform your user about the lawful reason for collecting or processing their data.

Here's how Brightcove discloses this in its Privacy Policy, letting users know it has legitimate interests in commerse, preventing fraud and other reasons for collecting and using personal data:

Brightcove Website Privacy Policy: Purposes and Legal Bases for Processing Personal Data clause

14. Get Adequate Consent When Required

An effective way to obtain consent is by using checkboxes and clickwrap. GDPR-compliant consent must be freely given and done through an affirmative action (such as clicking a checkbox).

Here's an example from Adobe ID that uses a checkbox to get users to agree to the Privacy Policy:

Adobe ID Sign-up screen: Clickwrap example with agree to Terms and Privacy Policy - highlighted

Don't pre-check your boxes. Use separate boxes for requesting consent for multiple different things, such as one for consenting to marketing emails and another for agreeing to your Terms and Conditions.

Conclusion

The GDPR will affect all businesses that handle the personal data of EU citizens. To avoid non-compliance and heavy fines, you must take necessary steps to make sure your online business is in compliance with the GDPR.

Use this quick guide as a checklist to make sure you're addressing and remembering the basics of GDPR compliance.