Blog

The Ultimate Manual To General Data Protection Regulation (GDPR) Compliance

Marie ProkopetsMarie Prokopets,Co-founder of Nira

The General Data Protection Regulation (GDPR) is the world’s most comprehensive data privacy law. It was passed by the European Union in 2016 and became effective in 2018.

This law is the reason you see GDPR acceptance notifications on almost every website.

In this article, I’ll give you a high-level overview of the GDPR law, its requirements for businesses, and the steps you need to take to ensure GDPR compliance.

What Is GDPR Compliance Anyway?

GDPR compliance is a data privacy standard defined in the GDPR law that the EU implemented in 2018.

The GDPR law was developed to protect the data privacy of EU citizens and ensure that no organization anywhere in the world can use an EU citizen’s private data without their consent.

The GDPR law puts the onus on businesses to use transparent and trackable methods to collect, process, store, and manage consumer data.

A GDPR-compliant organization must fully disclose its purpose for data collection, the ways it intends to use the data, its processes to protect consumer data, and the legal framework it follows while handling its users’ private data.

In short, GDPR compliance requires that an organization communicates everything it does with its customers’/website visitors’ data and does not use the private information of EU citizens in any form without their clear consent.

Even if you don’t directly collect any data from your visitors, your site is likely using different tracking codes, scripts, and plugins that are silently gathering visitor data–which means you need to be GDPR-compliant, too.

Does GDPR Apply To Businesses Outside the EU?

Even if a business is based outside the EU, GDPR applies if that business serves (or has the possibility of serving) EU citizens.

Suppose you run an ecommerce store in the US, but have visitors from France, the Netherlands, or any other EU member country. In that case, you’ll still need to comply with GDPR.

Similarly, if you run a blog, an online magazine, an affiliate website, or a SaaS company, your reach is global even if your company isn’t based in the EU. So it’s on you to ensure GDPR compliance if even only a tiny percentage of your visitors come from the EU.

Even though this law addresses the rights of EU citizens only, businesses anywhere in the world must comply with it unless they decide to completely ban EU visitors to their sites.

Why Is GDPR Compliance Necessary?

The European Union has passed and implemented different kinds of consumer privacy laws over the last hundred years.

However, with the exponential growth of tech giants like Google and Facebook that collect unprecedented volumes of data, the previous privacy laws couldn’t ensure consumer data protection. This is why the EU passed and implemented GDPR.

Failing to comply with GDPR can have far-reaching consequences for all kinds of businesses. Organizations can be fined up to 20% of their global revenue or 20 million Euros (whichever is greater) for being out of compliance.

How GDPR Compliance Works

GDPR outlines several privacy principles that organizations must follow to become GDPR-compliant. Similarly, it lists down different rights that protect consumer data privacy and give them control of how their information is processed.

But before diving deeper into these topics, you need to understand a few legal terms that repeatedly feature throughout the GDPR document.

GDPR Terms To Remember

Personal Data
In the GDPR law, personal data refers to any information that helps in identifying an individual. It includes identity-based info like a person’s name, age, gender, ethnicity, and/or religious/political beliefs, as well as their location and zip code. Pseudonyms that are closely associated with a person’s identity also count as personal data.

The term also covers internet-based information like a person’s email address, IP addresses, banking details, biometric data, web cookies, social media posts, and any publicly published content.

Basically, if it could help identify a user, it’s personal data.

Data Processing
In GDPR, data processing refers to any manual or automatic action that an organization performs on consumer data.

For a blog, data processing might mean collecting user email addresses. For an ecommerce store, it can be financial information and residential address.

For a site like Facebook, data processing could mean web cookies, offsite browsing, search queries, recently viewed products, voice data, and any other kind of data it collects from the users. It also covers the storage, management, modification, and erasure of that data.

In short, whatever happens to consumer data under your watch is defined as data processing in GDPR.

Data Controller
A data controller is a person who manages consumer data after it is collected from your website, application, or any other online platform.

This is the person who is ultimately answerable for any violation of the data and is responsible for ensuring GDPR compliance.

For most organizations, the CEO or the company owner is viewed as the data controller.

Data Subject
In GDPR terms, a data subject is a person whose data is being collected. Depending on your business type, the data subjects can be your email subscribers, customers, leads, fans, followers, visitors, etc.

Data Processor
Data processors are any third-party apps, tools, plugins, scripts, or products processing the data collected through your website, app, or platform.

The most common data processors are analytics tools, email marketing tools, social media plugins, user tracking heatmaps, and social media scripts like Facebook Pixel.

GDPR Compliance Principles For Organizations

Here’s a quick look at the GDPR privacy principles and what they mean.

Lawfulness, fairness, and transparency
A business must always process personal data within the legal limitations, without exploitation, and with complete transparency to the subject.

Declaration of purpose
A business must clearly state the purpose of collecting personal data, which should always be legally permissible, when asking a subject for it. A company can use personal data only for the purpose declared at the time of seeking the subject’s consent for use of their data. For any other purpose, the business requires additional explicit permission from the subject.

Data minimization
A business should only collect data that is necessary for achieving the declared purpose. Companies should also ensure that only the most relevant and necessary people get access to personal data.

Data Accuracy
Businesses should ensure that their data is accurate and up to date. Additionally, they should ensure that inaccuracies in data are fixed ASAP with the relevant user’s consent, and any outdated information is erased from the system.

Storage limitation
A business is allowed to store personal data as long as it is necessary to achieve the data’s stated objective. Once the goal is completed, the data should be immediately erased unless there’s a strong reason not to do it–public interest or additional research, for instance.

Integrity and confidentiality
Businesses should process data securely and confidentially and ensure that no unauthorized personnel access the data. For this purpose, measures such as data encryption and protection against unlawful data manipulation should be adopted.

Accountability
The business collecting personal data is responsible for its security during collection, processing, and management. A business is also responsible for training its employees to handle personal data and investing in its security infrastructure to ensure 100% GDPR compliance.

User Privacy Rights For GDPR Compliance

The GDPR gives several rights to consumers (data subjects) and requires that all GDPR-compliant organizations protect and respect these rights. Failure to do so can result in the financial penalties that we discussed earlier.

Let’s quickly review the rights of a consumer under GDPR.

The Right to be Informed
Businesses cannot collect consumer data without informing them in clear terms. At the time of data collection, you must seek the consumer’s consent and tell them in detail about how you’ll use their information.

If you’re not collecting data directly but getting it from a partner or a third-party app, you must inform the consumer before using it in any way.

The Right of Access
Consumers have the right to ask you for a copy of the actual data that you’re using, the ways you’re using their data, and if you’re sharing it with any other organizations or entities. You are required to comply with these requests.

The Right of Rectification
Consumers have the right to request your business to rectify or correct their data if it’s inaccurate or incomplete. You must comply with these requests within thirty days.

The Right of Erasure
A consumer can request their data be erased at any time and for any reason. Your business must comply with erasure requests within 30 days.

The Right to Restrict Processing
Consumers can request a business to stop processing their data. In such cases, you can still store the data but can’t process it in any way.

The Right to Data Portability
Consumers have the right to move their data from one IT environment to another. The data controller must facilitate this transfer.

The Right to Object
Consumers have the right to object to how their data is being processed and request to halt processing. A business must comply with this request unless they’re processing data for one of the following reasons.

  • Legal or official authority is being carried out.
  • Legitimate interest where the organization needs to process data to provide you with a
    service you signed up for.
  • A task carried out for public benefit.

How to Get Started With GDPR Compliance

GDPR compliance is a continuous process rather than a one-time event. It requires a complete transformation in the way your organization collects, stores, manages, and processes consumer data.

But here are the initial steps you can follow to move towards GDPR compliance.

Note: This is not legal advice, and we strongly suggest that you consult with a GDPR expert to understand the level of compliance your organization needs and how to get there.

Step 1: Analyze Your Existing Information Handling Procedures

The first step to GDPR compliance is to analyze the existing processes in your organization when it comes to handling consumer data.

Are you collecting consumer data at all?

If yes, why are you collecting it, and how is it contributing to your business growth?

Are you only collecting information necessary for your business, or are you also collecting information that doesn’t clearly serve a purpose?

Are you communicating with your users about data collection? How and when?

How are you processing and managing the data?

Who controls data collection and management in your company?

Is consumer data secure in your systems?

These are basic but important questions you need to ask to understand how close or far away you are from GDPR compliance.

Step 2: Update Your Website’s Privacy Policy

If your website or platform doesn’t have a privacy policy statement yet, create one immediately. Your privacy policy is one of the first steps to GDPR compliance.

It should clearly state what consumer data you’re collecting and how you’re using, storing, and processing it.

Additionally, it should list the consumer’s rights under GDPR and the relevant contact details if they want to connect with you to exercise their rights.

If you’re using a generic GDPR privacy policy statement template, consult with a legal expert to ensure it covers all the bases before adding it to your website.

Step 3: Make Your Opt-In Forms GDPR Compliant

If your website collects email addresses, phone numbers, or any other information from visitors, you need to update all your opt-in forms and make them GDPR compliant.

In the old days, you could offer a free lead magnet to your website visitors to collect their email addresses and other important information. After that, you could add them to an email sequence, send them promotional material, and communicate with them whenever you wanted.

You can still do all these things, but GDPR now requires that users permit you for each type of communication separately. To achieve this, you need to mention the different ways you intend to use consumer data under your opt-in forms, with checkboxes so users can separately consent to each way.

Step 4: Add A Cookie Consent To Your Site

Like the privacy policy, a cookie consent states the different types of cookies your website uses, their validity period, the information you collect with them, and how you intend to use it.

For GDPR compliance, the users should have the option to accept or decline cookies on your site.

Step 5: Designate A Data Protection Officer (DPO)

Some organizations also need to appoint a data protection officer (DPO) to ensure GDPR compliance. The DPO is a GDPR expert whose job is to oversee compliance in your organization and ensure that consumer data is handled securely and properly.

Step 6: Monitor Your Processes Closely

Once you’ve laid the foundation of GDPR compliance in your company, you must develop a monitoring mechanism to ensure quality control and adherence to the GDPR guidelines in your processes.

This includes training and hiring staff for GDPR compliance, investing in your security infrastructure, and aiming for continuous improvement.

Step 7: Schedule GDPR Audits To Ensure Compliance

There’s no legal requirement for a GDPR audit to achieve GDPR compliance. However, it is always beneficial to get an external perspective on your company’s data handling practices.

For this purpose, you can hire the services of an audit firm to review your process from a GDPR compliance perspective and recommend any improvement actions.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira