The Basics of GDPR Compliance
Before we begin outlining the steps you need to take for GDPR compliance, let’s take a trip down memory lane to remind ourselves of the rationale behind this entire situation. Do you remember the state of the internet in 1995? That’s back when it was spelled with a capital “I,” email was “electronic mail,” and few of us knew anything about data security or, for that matter, had enough personal information online to be worth protecting. Until the GDPR, it was also the last time the European Union established any guidelines for data protection.
What Is the GDPR?
If collecting and using personal data in the EU has been as lawless as the Old West for the last 25 years, the GDPR, or General Data Protection Regulation, is the new sheriff in town. The GDPR establishes more stringent requirements for businesses to protect the personal data and privacy of citizens of the European Union (EU) and the European Economic Area (EEA).
This new standard governing the privacy and data protection of EU residents went into effect on May 25, 2018, replacing the prior data protection directive from almost a quarter century ago. The GDPR applies to transactions that occur within EU member states, as well as the collection and transfer of personal data outside the EU and EEA areas.
The GDPR is designed to give consumers control over their own personal data in four main ways:
- Consent: People have the right to choose whether or not an organization can collect their data, and if so, what data they collect.
- Transparency: People know about the data that is being collected and what it will be used for, and companies must be open about any possible data exposure in the event of a security breach.
- Access: Consumers have access to any personal data an organization has collected about them in the past, along with the option to delete any data that has been collected.
- Security: Consumers feel confident that their personal data is being stored in a secure manner.
What Is Personal Data?
When people think of personal data, they often imagine the kind of information they think identity thieves would find useful: passwords, bank accounts, medical records, Social Security numbers, and the like. That’s not wrong—all of the aforementioned pieces of data are personal data—but it’s not the whole picture.
Personal Data: Identifying Versus Identifiable
In reality, personal data—especially according to the GDPR—is a much broader category, broken down into two types: identifying data and identifiable data.
Identifying data is the kind of information we’ve already mentioned above: data that identifies you as an individual person, like your driver’s license number, biometric information, or Social Security number. It’s the kind of sensitive information that might by itself or in combination with another piece of trivia (like your mother’s maiden name) be used to prove or steal your identity.
The second kind of personal data, personally identifiable data, includes almost any information about you from your email address, your age, and your occupation to your shirt size and favorite color—all of it is personal to you, even if it can’t be used by itself to identify you individually. This also includes any information that reveals your activity or location, including electronic information like your IP address, tracking cookies in your browser, GPS signal, and cell phone data.
While there are many laws and regulations, like HIPAA, for example, that apply to collecting and using identifying information, the GDPR is designed to give people control over all of their personal data—both identifying and identifiable—and as a result, it doesn’t specify what exact data qualifies as personal data. That means organizations that collect any information whatsoever need to be extremely careful about how they collect, store, and use it.
What Does GDPR Compliance Mean for U.S. Companies?
Many people assume that the GDPR only applies to companies with clients or a physical office in the EU. However, the law applies to any organization that collects personal data from EU or EEA consumers, which means you don’t have to do any business in the EU to be liable; all it takes is interacting with EU residents online. And since fines for noncompliance can be as high as four percent of your organization’s yearly global revenue, up to a maximum of 20 million euro, it makes sense to spend the effort on GDPR compliance.
GDPR Compliance Checklist for U.S. Companies
As a first step, before beginning any GDPR compliance initiatives, we recommend that you seek advice from a qualified expert who can analyze your situation and suggest proper action appropriate for the type and quantity of information your organization collects and how it uses that information. If your organization is a government agency or deals with large quantities of personal data, you may be required to appoint or hire a Data Protection Officer (DPO) who has expert-level knowledge of data protection laws and practices.
Please note that none of the following advice is legal advice; it’s simply what we have constructed after researching other expert recommendations and the official GDPR website (which, for the record, has its own compliance checklist).
1. Review, Document, and Publish Your Data Collection and Handling Practices
The GDPR requires companies to maintain an up-to-date list of data collection and handling processes. This is a good thing because the best way to know what you need to do to become GDPR compliant is to first understand:
- What data your organization collects from the public
- Where and how you collect that data
- How you store and protect the data you collect
- How you use that data
Creating such a list is not only required, it also ensures that your later efforts to verify, protect, communicate about, and allow control over personal data aren’t stymied due to an incomplete grasp of your data handling activities.
Your review should include analyzing your current data to determine what types of data you already own, from whom, and how that data is stored and made accessible. For example, this might include:
- Mailing lists
- Email marketing lists
- Phone numbers
- Financial information
- Client company information
You should also document the methods and channels you use to collect personal data, which is important in order to establish consent and ensure security. This might include:
- Events or online presentations
- Active digital tracking
- Passive digital tracking
- Phone sales or online form fills
- Business partners, third-party apps, plug-ins, or contracted agents that collect data as part of their function
Most companies will benefit from assigning an individual or team of individuals to act as the central point of data management and GDPR compliance. This person or team can create a plan of action for the various departments involved and act as a liaison and single point of contact between the company and any outside agents or authorities, such as an external DPO or an EU-based data manager. This internal data management role or team can also monitor ongoing data handling efforts, ensure external communications are up-to-date, and coordinate any staff training about proper data collection.
2. Verify Consent at All Data Collection Points
After a full documentation of your data collection and handling practices, your organization needs to ensure that the data you already own was collected with consent. If not, you must either remove it in a secure manner or obtain consent retroactively. You’ve probably seen this all over the place in the form of cookie consent banners on websites.
These notifications are only a part of GDPR consent compliance, one that makes a formerly invisible practice visible to consumers. But to stay in compliance, you need to acquire consumer consent in any situation where you are collecting information, whether in person or online, in a form or other entry by the public. That includes data that you collect or have collected for research, marketing, sale of goods and services, or at any other time. You must disclose how you plan to use the data in clear language, and the best way to do so is via a disclaimer in the same place as the form being filled.
The GDPR requires consent from a parent or guardian in the case of collecting personal data from children under 16 years old; best practice in this case would be to provide an age verification process, even if it is just a disclaimer or verification check box acknowledging that the person is over 16.
In the case of data you’ve already collected, you should either request consent to continue using that data by contacting the data subjects or consider securely deleting all of your stored personal data, as using any data without consent would violate the GDPR.
3. Implement GDPR-Compliant Data Security Measures
GDPR compliance requires that organizations take appropriate measures to protect the personal data they collect, store, and use, from the time it is collected until the eventual deletion of that data. What is appropriate depends on the nature and amount of the data collected and the intended use, and must follow “data protection by design and by default” principles.
GDPR guidelines suggest hiring both an attorney and reputable security expert in order to define what is appropriate for your own organization, and the measures you take should be documented in the list in step one. You should also communicate your security measures internally so that everyone is up to speed on what you’re doing and what needs to be done in the event of a security issue.
Does BambooHR Protect Your Data? You Bet We Do. Read Our Security Statement.
4. Revise and Maintain Privacy/Data Request Policies
As part of communication and consent, Article 12 of the GDPR outlines how to communicate your collection and handling of data via a privacy policy. To be compliant, you have to inform readers of your data collection practices, your intended use of the data, and about who has access to the data.
[Pull Quote: Most companies will benefit from assigning an individual or team of individuals to act as the central point of data management.]
GDPR compliance also requires that companies make it easy for users to request the data you’ve collected and to request that you delete or stop using their data. Best practices would suggest that you clearly communicate this on an independent page with links to make such requests and that you link to the page from within your privacy policy.
5. Develop a Data Breach Plan of Action
In the event of a security breach, the GDPR requires disclosing the breach to authorities within 72 hours. Outside of the EU, this means notifying the Office of the Data Protection Commissioner in Ireland.
We highly suggest creating a plan of action to deal with possible data breaches. Doing so helps ensure you are practicing appropriate data security even after an event compromises your data security measures. A data breach plan might include:
- Cutting off all access to data except for security team members until the issue is discovered and security measures have been restored or updated
- Notifying stakeholders internally of what happened with a possible timeline of when it happened and how long it will take to recover
- Documenting the timeline of the event and cataloging any data that may have been exposed
- Notifying authorities of the data breach
- Communicating to the entire organization about the data breach, its implications, and appropriate ways to discuss it with or handle information requests from clients or the media
- Creating an official communication to send to any affected people outside the organization
- Creating a public statement about the data breach with instructions to find further information
As far as being compliant, the GDPR requires organizations to notify anyone whose data may have been exposed “in a timely manner,” although there is no specific timeline mentioned and it is not required if the data exposed was still encrypted.
Don’t Be Afraid of GDPR Compliance
GDPR compliance can seem overwhelming and fraught with risk for the average non-expert. And to a certain extent, it is—that’s why we recommend seeking expert advice from someone who understands your legal obligation for compliance.
Becoming GDPR compliant if you’ve never handled data securely or collected it with consent in the past may take some serious effort. Even if you have been responsible with your data, tracking down all the areas where you need to add disclaimers and clearly seek consent can be time consuming.
But, at the same time, we think the GDPR is a great move, and one that’s long overdue. It may seem arduous right now to implement so many measures, but in an era when more and more data is going online and a massive increase in cases of that data being used improperly or exposed to the wrong people, the GDPR and other measures like it are a good thing.