All companies that process the personal data of EU individuals must meet the legal requirements set out by the GDPR. Failing to ensure GDPR compliance can have serious consequences — from penalties and fines to reputational damage and lost customers. Therefore, it is in every company’s best interest to stay on the right side of the EU’s data protection regulation.
This article outlines some practical steps to help businesses comply with their GDPR duties and ensure the adequate protection of the personal data entrusted to them.
1. Build and maintain an up-to-date list of your data processing activities
Building and maintaining a list of all your data processing activities is the first step toward ensuring GDPR compliance. According to the law, the list should include the following information:
- the name and contact details of your business
- the categories of personal data that you collect
- the processing purpose for each type of personal data
- the employees and third parties that have access to the personal data
- the security measures meant to ensure the protection of the personal data
- the retention period for each category of personal data
Having a comprehensive overview of all your data processing activities makes it easier for you to identify potential risks, take appropriate measures to prevent them, and demonstrate your GDPR compliance to the authorities.
However, there are some exceptions. Companies with less the 250 employees are not legally required to maintain records of their processing activities if:
- they only process personal data occasionally,
- the processing is unlikely to result in a risk to the rights and freedoms of data subjects, or
- the processing does not include special categories of data
2. Rely on an appropriate legal basis
Companies are only allowed to process the personal data of EU citizens and residents when one of the following legal bases for data processing applies:
- Consent: the individual has agreed to the processing of their data. If you choose to rely on consent, there are some additional requirements that you have to meet.
- Vital interest: the processing is necessary to save someone’s life
- Contract: the processing is needed to fulfill a contract
- Public interest: the processing is required to protect the public interest
- Legal obligations: the data processing is required to meet a legal obligation
- Legitimate interest: the processing is necessary to further a company’s legitimate interest, and the individual’s interests, rights, and freedoms do not override this legitimate interest
If none of the six legal bases applies, the data processing is illegal.
3. Let individuals know how you intend to process their data
The GDPR requires companies to provide individuals with clear, concise, and transparent information regarding:
- why is the data processing necessary
- how they intend to process the data
- who will have access to the data
- the security measures they have taken to keep the data safe
4. Take data protection into account at all times
According to the GDPR principles of data protection by design and data protection by default, companies must design new processes, policies, products, services, and systems with data protection in mind. Furthermore, they should ensure that the most privacy-friendly settings are always the default settings.
5. Put in place appropriate measures to protect the data entrusted to you
To ensure GDPR compliance, companies must anonymize, encrypt, and pseudonymize personal data whenever possible.
Other security measures that can help you strengthen data protection and integrity include access control, antiviruses, firewalls, multi-factor authentication, and regular backups.
6. Educate employees about data protection and provide GDPR training
Negligence and lack of awareness are often to blame for data breaches. Therefore, companies must educate employees about the importance of data protection and provide appropriate training, especially to the members of the staff that have access to personal data.
You should also develop an internal data protection policy that explains how employees should handle personal data and share it with your entire staff.
7. Conduct a Data Privacy Impact Assessment
In specific cases, the GDPR requires companies to conduct a Data Privacy Impact Assessment or DPIA.
You must carry out a DPIA whenever data processing is likely to result in a high risk to the individual’s rights and freedoms. Examples include cases in which:
- the data processing may lead to discrimination
- the data processing may give rise to identity theft or fraud
- the data processing may cause financial loss to the individual
8. Establish a process to notify the authorities and individuals in case of a data breach
If a data breach does happen, you must notify the relevant authorities within 72 hours and the individuals affected by the breach as soon as possible.
9. Appoint a person responsible for ensuring GDPR compliance across the company
While not all companies are legally required to appoint a data protection office (DPO), they must all designate a person responsible for ensuring and overseeing GDPR compliance across the business.
10. Have a Data Processing Agreement (DPA) in place
If your company relies on other organizations to process personal data on its behalf, you must have a Data Processing Agreement (DPA) in place.
The Data Processing Agreement should list the rights and obligations of each party in regard to the protection of personal data. Both the data controller and data processor must sign the DPA.
11. Make it easy for data subjects to exercise their GDPR rights
The GDPR sets out eight essential data subjects’ rights:
- the right to request and receive all the personal data
- that you hold about them
- the right to have any inaccurate or incomplete information rectified
- the right to request the deletion of the personal data you hold about them
- the right to receive their personal data in an interoperable, structured, commonly used, and machine-readable format
- the right to request you to stop processing their personal data
- the right to object to the processing of their personal data
- the right to not be subject to a decision based solely on automated processing, including profiling, that has legal or similarly significant effects on them
To ensure compliance, companies must make it easy for data subjects to exercise their rights.
Companies must stay on top of their GDPR compliance duties to protect themselves against data breaches, expensive lawsuits, and penalties. But having a strong focus on data protection not only mitigates risks. It also helps businesses gain and retain customer trust.