Navigating GDPR Compliance: A Detailed Guide for Modern Businesses

Business entities processing personally identifiable data from the EU must implement compliance measures immediately.

The European Union’s General Data Protection Regulation (GDPR) is a regulation that compels businesses to protect the personal data and privacy of EU citizens. It also requires monitoring of data that is exported outside of the EU. Non-compliant companies may be subject to fines of up to EUR 20 million or 4% of their total global revenue for the preceding fiscal year, whichever is higher.

GDPR should not be taken lightly.

GDPR compliance has become a pressing issue in recent months as Google lost major lawsuits for its deployment of Google Analytics. For this reason, we have prepared a 30-second self-assessment that will determine your technical requirements and recommend services to bring your website up to speed.

Click here to take the self-assessment.

Data that GDPR protects

Personal data that relates to an identified or identifiable "individual," for example:

  • Name, address, and/or ID numbers
  • Web data for example: as location, IP address, cookie data, and RFID tags

Special Category Information, for example:

  • Health and genetic data
  • Political opinions
  • Biometric data
  • Racial or ethnic data
  • Sexual orientation

Being GDPR compliant is not easy

Thorough planning is required, and several factors must be considered, including:

  • The storage, transfer, access, and security of electronic information
  • Document retention schedules and their implementation
  • Written proof of compliance
  • Documentation pertaining to data protection
  • The type of data that is being stored and transferred
  • Incorporation of newly-created data
  • Data accessibility
  • Data content

Data Protection Officer

A Data Protection Officer (DPO) is required in some circumstances. Part of their role is to follow a strict protocol to identify personal data that the company processes and ensure its protection under GDPR guidelines.

Understanding the content of the personal data

Companies should understand the nature of the personal data that they are storing and not just identify where the data is stored. They should understand whether the personal data is legally binding by nature (like in contracts and in agreements) or what other legal basis they have for processing personal data.

Data mapping

It’s impossible to ensure security if the DPO doesn't know the location or the content of the corporate data. If the corporation’s data map is incomplete, there should be a discussion with IT stakeholders. Going forward, collaboration between all business areas, IT, management, and the corporate legal department is very important for a comprehensive data management plan – which again is a significant step toward GDPR compliance. It should be noted that personal data possessed by third-party providers, including cloud service vendors or data archival companies, also comes under the purview of GDPR compliance.

Taking customer’s consent

Consent of an individual is one of the bases for data storage and transfer. A company must provide a clear affirmative statement by a customer, allowing the former to process and utilize their data. Similarly, an individual has the right to know where their data is being stored and how it is being processed. They also have the right to reprimand the company for storing inaccurate information, demanding correction or deletion. It should be noted that consent is not the only basis to process personal data. Under GDPR, there are six legal bases that can be applied to the processing of personal data. They are:

  • Consent
  • Contract
  • Legal Obligation
  • Vital Interests
  • Public Task
  • Legitimate Interests

Sending security alerts

It is important for a company to have adept technical support to avert data breaches. In case of a breach, the company should have provisions to inform both the affected individual and the company. The company should be able to tell its customers specifically as to what was exposed. The GDPR introduces a duty on all organizations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.

Monitoring data transfer

GDPR lays great restrictions on personal data transfer. Corporate entities should have an enforceable plan to prevent unauthorized data transfers. Transfer of data outside of the EU should meet GDPR requirements first. A series of queries pertaining to the content of the data needs to be answered. If the data is extra sensitive, additional restrictions must be imposed. If needed, permission for transmission can also be revoked.