Understanding the General Data Protection Regulation (GDPR)
Working with citizens or customers from the European Union (EU) demands that you follow the strict rules of the GDPR. Failure to adhere to these regulations can attract huge fines. And for evidential purposes, we have seen big names like Amazon and Google paying tens of millions in fines.
GDPR is there to protect the personal data of EU citizens by controlling how organizations collect, store, process, and destroy this data. Whether you operate within or outside the EU but in one way or the other, you have access to the personal data of EU residents, you should seek to be GDPR compliance as soon. By personal data, we mean any piece of data that can identify a natural person, including names, addresses, sex, biometrics, online identifiers, ethnicity, racial, political/religion, and health information.
How to Become GDPR Compliant
Since going into effect on May 25, 2018, many small, medium, and even large businesses are struggling to comply fully with the GDPR rules. This is especially true for online businesses, as they cannot truly tell whether they are transacting with a resident of the EU. Therefore, if you ship or your app/online services are available in the EU countries, you need to fast-track your GDPR compliance to avoid disastrous repercussions.
After ascertaining that your business needs to be GDPR compliant, the next question to ask yourself is whether you’re a data controller or processor?
Data Controllers
According to GDPR, a data controller is any individual, agency, body, or public/private entity that determines the means and purpose of personal processing data. As a controller, GDPR requires you to:
- Get consent before obtaining data
- Ensure transparency, confidentiality, and accuracy of data
- Control access of the data
- Enforce lawfulness of data processing
Data Processors
These include parties that create, collect, and manipulate personal data. Mostly they can be doing so on behalf of data controllers, but sometimes some controllers are also processors. Their obligation according to GDPR, is to:
- Only process data according to controller’s guidelines
- Not contracting sub-processors without the knowledge of the controller
- Securing the data in their possession through accountability and using international transfer protocols when transmitting data
- Notify the data controller in the event of a breach
- Cooperate with authorities when need be
10 Steps Towards GDPR Compliance
If you’re looking to review your GDPR compliance status to attain compliance status, here is your ultimate checklist
- Know the data you’re collecting or need to protect.
- Have the right people handle your compliance. For instance, you may need a compliance officer and a data protection officer (DPO). In fact, article 37 of GDPR mandates controllers and processors have a DPO.
- Use a cybersecurity framework, such as NIST (or PCI DSS if you work with credit/debit cards).
- Conduct a comprehensive cybersecurity risk assessment to determine existing loopholes in your system.
- Have a GDPR diary. This helps keep track of your organization’s compliance as well as establish data governance, i.e., policies and procedures controlling personal data under your care.
- Review your data collection requirements and implement proper controls
- Have data owner rights in order. This includes obtaining necessary consent before collecting data and verifying the subject’s age (GDPR only allows users under 16 to consent through a person owning their parental responsibility).
- Maintain clear documentation of your data storage and processing methodologies
- Train your workers
- Conduct regular gap analysis and remediation of your current system. This can help you keep your privacy policy up-to-date and also identify new risks posed by third parties.