GDPR
Eight best practices & steps for GDPR compliance
When the General Data Protection Regulation (GDPR) came on the scene, the way companies collect, process and store data was forever changed. GDPR requires companies across the European Union (EU) to protect the privacy of, and safeguard the data they keep on their employees, customers and third-party vendors — also referred to as data subjects.
While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens, including US companies.
As companies continue to wade through the many data and privacy regulations that have followed on the heels of GDPR, achieving GDPR compliance is still a work in progress. This has to do with the implications and nuances of each business and how they interpret and address requirements. Please note: It’s important to be advised by legal counsel on all data regulation matters.
What GDPR has done is made companies realise they have a responsibility to keep the data they collect secure. They also have to minimise the risk of data breaches as best they can by taking a company-wide approach to data management. Companies are being forced to take the appropriate steps to review how they process data and take adequate action. To develop an efficient data protection strategy, a company must consider their unique business scenario. Compliance with GDPR is not a one- size-fits-all approach. Every company needs to have a strategy that is aligned to their specific business along with clear visibility into how they go about collecting, processing, disclosing, storing and deleting data.
Even with no ‘out of box’ template for GDPR compliance, there are some best practices that all companies can use to form the basis of their approach. Here’s a look at eight key areas that provide a path forward to achieving compliance.
8 Best practices & steps for achieving GDPR compliance
1 - Know the key concepts and articles regarding GDPR. We encourage you to read our blog: What are the GDPR Guidelines? Everything You Need to Know for a full review of the guidelines and principles set forth with GDPR.
2 - Conduct a full data audit, and review data collection forms. To even begin your compliance planning, you have to determine what personal data you have and where it resides. Utilise mapping to find out where personal data is, where it came from, who has access to it and what it’s being used for.
3 - Review and update your company’s privacy policy. Expand on your consent notices, across your website, brochures and third-party contracts. Use clear, concise language in written communications and make sure information is presented in a fully transparent manner. For example, upon entering your website your cookie and privacy policy should pop up for people to accept or read quickly and easily. This should be available consistently across all of your communication channels (web, mobile, etc.).
Create a dependent verification process for the collection of personal data for people under the age of 16. To collect the parent’s email and process a separate consent, you will need a form or automated email notification. Obtaining consent also applies to collecting personal data in person, such as at an event, asking for consent and including a check box or other field for the person to check or initial when the individual has agreed to be emailed. Add a “Country of Residence” field to web forms. If at an in-person event, also ask for the person’s “Country of Residence.”
4 - Train and inform people that need to know about the principles of GDPR. Compliance is not the sole responsibility of your IT team or your appointed Data Protection Officer (DPO). Following the requirements of GDPR impacts many groups across your company, including sales, marketing and customer service. All of your teams need to know what the expectations are for meeting guidelines and they need to receive the training and education to make compliance possible through various systems (e.g., CRM).
5 - Report data breaches. Understand that a company’s appointed DPO must notify privacy regulators and affected individuals in the event of certain data privacy breaches within 72 hours – without the correct tools this could take some time.
Demonstrate compliance to regulators on a security-by-design basis and maintain records of data protection management. If you have not got consent to hold a person’s personal data – you must delete it.
6 - Ensure customers are aware of their right to demand full details of the information held on them. Under GDPR, citizens now have rights on what data is being stored. Explain the option to opt-out of future marketing. Highlight to your customers when data that’s been collected may be sent outside the European Economic Area, to Government Digital Service centres overseas for example, where data protection may not be as strong as within the EEA. Along with this explain exactly how it could be used to meet the new requirement for ‘clear affirmative action,’ which puts an end to pre-ticked boxes and bundled consents.
7 - Take practical steps to deal with Subject Access Requests and the Right to Erasure. Companies are required to comply with a data subject’s request for access to their data no later than one month after receiving it. If the request is received digitally, a response needs to be provided in a commonly used file format, such as CSV, XML or JSON. There are tools available to help speed this process up.
When a data subject exercises the right to request erasure of their data either verbally or in writing, companies have one month to respond to a request. The right is not absolute and only applies in certain circumstances. For example, it is not applicable if the data is needed to comply with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority (source).
8 - Utilise technology to automate key processes. One of the first steps to compliance is discovering the personal data you have across your entire company. Enterprise Recon enables you to quickly and easily discover, remediate and report on more than 300 predefined and variant personal data types across multiple systems, and makes compliance much easier to achieve. With Enterprise Recon, you have the information you need to take measures to ensure personal data is appropriately secured.
Final thoughts
At Ground Labs, we are dedicated to helping you take the right steps towards achieving GDPR compliance and our team of experts has worked with thousands of companies supporting them in their data protection efforts. We’d love to help you develop the right strategy and provide you with the best data discovery tool to put you on a path to compliance. Set up a discovery call with us today!