What is GDPR? GDPR Compliance Checklist

Many companies entering the EU market are horrified at how many rules there are regarding the processing of personal data. Despite hundreds of pages of rules, restrictions, regulations and excessive fines for their non-compliance, the GDPR is not as scary as it seems. First of all, we need to understand what is the definition of the GDPR?

GDPR (General Data Protection Regulation) is a privacy (and partly security) law adopted by the European Union. Fines for not being GDPR compliant are high reaching either 4% of annual global turnover or up to €20 million. However, filling the budget with fines is not the EU’s main purpose. This Regulation is a serious effort to establish and cultivate respect for personal data among clients. In this article we will tell you about what the GDPR in simple terms is. Read our checklist below and become compliant with the GDPR:

Do you process personal data within the GDPR?

The first item on our GDPR checklist is the definition of personal data. Pursuant to the General Data Protection Regulation, personal data (PD) is any information relating to an individual that is identified or identifiable. The GDPR provides a non-exhaustive list of identifiers, including, but not limited to:

  • name;
  • identification number;
  • location data;
  • online identifier.

Online identifiers includes IP addresses and cookie identifiers that allow you to identify a person.

Secondly, you shall understand whether you are a controller or a processor. And moreover, you should differentiate these roles. In simple terms, the controller is a person or organization that decides how and for what purpose personal data is processed. The processor is a person or organization that processes personal data on behalf on the controller.

At last but not least, GDPR is applicable to your company not only if you are operating in the EU market. You have to comply with the Regulation if:

  • your company established in the EU;
  • your company established outside the EU and is offering goods/services or is monitoring the behaviour of individuals in the EU.

So, if you collect or process personal data within the GDPR, read our GDPR checklist further.

Is your Privacy Notice is transparent?

A privacy notice (or policy) is a public document from an organization that explains how the organization processes personal data and how it complies with the data protection principles enshrined in the GDPR.

Your privacy notice or privacy policy should be compliant with transparency requirement of GDPR. The controller shall take appropriate measures to provide any information referred to the requirements of GDPR relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language to achieve overall GDPR compliance. Put simply, you as a controller must be clear, sincere and fair with people from the start about how you will use their personal data.

Also, your Privacy Notice should be delivered in a timely manner and provided free of charge. Do not try to confuse the user: avoid using qualifiers such as “may,” “might,”, “often,”, “probably” as they are purposefully vague.

What should my registration fields look like?

A good GDPR field is one of the main keys to success in GDPR compliance process. Yes, the field that you see in the footer when you visit the sites is of the utmost importance. Using a GDPR cookie or privacy banner, the collector of personal data can familiarize you with their privacy practices and routines.

GDPR field is a possibility that allows you to collect, store and track consent from your consumers. Be aware: GDPR fields don’t make you GDPR compliant directly. Your product must comply with the GDPR in all aspects. But a proper and thorough GDPR field is your way to ensure contact with your potential personal data subject. As we said above, your GDPR field must not be confusing and should be clear and easily accessible even to a child.

Can your customers access their personal data?

Current data subject rights require you to provide access to data when users need it for rectification or even complete erase. Pursuant to the GDPR, the data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, obtain access to the personal data and the following information.

Therefore, your users should be aware of the purposes of processing, the recipients or categories of recipient to whom the personal data have been or will be disclosed (specific names of third countries or international organisations). Also, do not forget to mention the right to lodge a complaint with a supervisory authority in your privacy policy.

The GDPR doesn’t indicate how exactly to make a request. Thus, an individual can make a request of getting personal data to any part of your organisation (even through social media). Users also can do it verbally or in writing.

What type of personal data can you collect?

Next step in our GDPR Checklist is defining what type of personal data you can collect. Let’s assume you are collecting names, identification numbers, location data or online identifiers of your users. In most cases this is permitted. But what if you are not limited only by this data? GDPR distinguishes sensitive data (also so-called special categories of data) among personal data. These include, but are not limited to:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life;
  • data concerning a person’s sexual orientation.

If you process special category data, you need to consider the purposes of your processing and determine which of these conditions are relevant:

  • (a) Explicit consent
  • (b) Employment, social security and social protection (if authorised by law)
  • (c) Vital interests
  • (d) Not-for-profit bodies
  • (e) Made public by the data subject
  • (f) Legal claims or judicial acts
  • (g) Reasons of substantial public interest (with a basis in law)
  • (h) Health or social care (with a basis in law)
  • (i) Public health (with a basis in law)
  • (j) Archiving, research and statistics (with a basis in law)

If you process special category data it is likely to be a high risk activity. In this case you should carry out a DPIA.

What is a Data Protection Impact Assessment?

Where you process sensitive data or use new technologies in your personal data process, it is likely to result in a high risk to the rights and freedoms of your users. In these cases you should carry out a DPIA. Of course, it is possible that you just process sensitive data without any risk to it. But it is not always the case. Therefore, the controller should justify and document the reasons for not doing a DPIA.

How to understand whether you need a DPIA? In cases where it is not clear whether a DPIA is required, the WP29 recommends that a DPIA is carried out nonetheless as a DPIA is a useful tool to help controllers comply with data protection law. As you can see, even if there is a very small chance of putting the data at a high risk, you should carry out a DPIA.

 

A DPIA shall contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects;
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

After you’ve carried out the DPIA, you have to publish results of this assessment. If you don’t want to expose the information in full, you can make a conclusion or a summary of your DPIA.

Do you process personal data of children?

Pursuant to the GDPR, children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.

If you process children’s personal data then you should think about protecting their personal data from the outset. Your systems of processing personal data should have been designed according to the principles of the GDPR.

The main rule says you must have a valid lawful basis in order to process personal data. For the processing of personal data of adults, a valid consent is often sufficient. However, things are not so simple with children, since children are not always legally capable to be responsible for their actions. Let’s be fair, even adults read the Privacy Policy once in a blue moon, not to mention children. Another key thing to remember that sometimes using an alternative lawful basis, but consent, is more appropriate and better for protection of children.

Does your product comply with the principle of privacy by design and privacy by default?

The next major step in our GDPR Checklist is to keep the hand on a pulse of new and risky projects and technology. The GDPR requires data protection requirements to be considered when new technologies are designed or on-boarded or new projects using data are being considered. This exactly what “data protection by design and by default” is. Basically, this means you should take care of users personal data protection into at the design stage.

Article 25(1) specifies the requirements for data protection by design:

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the  determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

Article 25(2) specifies the requirements for data protection by default:

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

So, what are you exactly required to do with all these rules? There is no single one-size-fits-all answer for everything. The key is that you have to keep in mind data protection issues from the start of any processing activity, and adopt appropriate policies and measures that meet the requirements of data protection by design and by default. For instance, you can ensure transparency in issues of personal data processing or invent new security approaches to protect personal data that suits your business model and technology used.

Do you need a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is a person appointed by a data controller to monitor the application and ongoing compliance with GDPR. But there are only three cases when appointing a DPO is a must:

  • the processing is carried out by a public authority or body;
  • processing operations require regular and systematic monitoring of data subjects on a large scale;
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

If the company is not required to have a DPO, you may appoint a voluntary DPO. A DPO contact details must be notified to the regulatory authority and published to the public. Nevertheless, European regulators unanimously urge not to neglect such a specialist and delegate the authority to protect personal data to a professional in this field.

It should be remembered that some Member States introduce additional requirements for DPO at their legislative level. For example, the German rules regarding the duty to appoint a data protection officer are stricter than those stipulated by Art. 37 GDPR. Companies operating in Germany must designate a DPO if they constantly employ at least 10 persons dealing with the automated processing of personal data or if they commercially process personal data for the purpose of transfer or anonymous transfer, or for purposes of market or opinion research.

Can you transfer EU residents’ personal data outside the EEA?

Under the International Data Export rule of the GDPR, companies are permitted to export data within its group and third-party vendors outside the European Economic Area (EEA) if the country in which the recipient of such data is established has an adequate level of protection.

What is the adequate level of protection? European Commission has made a full finding of adequacy about these countries: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The Commission has made partial findings of adequacy about Japan, Canada (private organizations) and the USA.

If there is no “adequacy decision” adopted with regard to the particular non-EU country, you should find out whether you can make the transfer personal data under other “appropriate safeguards”, which are listed in the GDPR:

  • A legally binding and enforceable instrument between public authorities or bodies;
  • Binding corporate rules;
  • Standard data protection clauses adopted by the Commission;
  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission;
  • An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;
  • Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;
  • Contractual clauses authorised by a supervisory authority;
  • Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by a supervisory authority.

For doing such a transfer of the EU residents’ personal data you don’t need to obtain a special permission. In conclusion, you should use common sense in these relationships and act pursuant to the principles of the GDPR, and choose the safeguard best suited for your own unique case. If you are not sure, you can always ask an expert for some guidance.

Thank you for reading our GDPR Checklist to the end. We hope that we were able to explain what is the GDPR in simple terms.

    Your question to IT lawyers


    Subscription