Knowing whether you need to be compliant with GDPR’s privacy regulations is fairly straightforward. If you serve EU customers, it most likely applies to you. But knowing exactly what you need to do to be compliant is another story.
If you’re looking for guidance on how to comply with GDPR, we’ve got you covered. This article breaks down key concepts and explains what’s required under GDPR.
An overview of GDPR compliance requirements
The GDPR legal document is over 85 pages long and includes 99 articles and 173 recitals. It defines several key points of focus for data privacy:
- Personal data: Any information that relates to an individual who can be identified, either directly or indirectly. Examples include names, email addresses, location data, ethnicity, gender, IP addresses, political or religious affiliation, and biometric data.
- Data processing: Any automated or manual action performed on personal data. Examples are collecting, storing, using, transferring, or erasing data.
- Data subjects: The individual whose data is being processed, such as customers, subscribers, users, and site visitors.
- Data controllers: The individual, organization, or entity that decides how and why personal data will be processed. Employees who manage or handle data are one example.
- Data processors: Any third party that processes personal data on behalf of a data controller, like cloud service providers and email service providers.
GDPR requirements list
To be compliant with GDPR, organizations must follow certain requirements for the processing of personal data. Below, we summarize some key requirements for GDPR compliance.
1. Establish a legal basis for data processing
Under Article 6 of GDPR, organizations must have a valid legal basis for collecting and processing personal data. These include:
- A data subject freely gave their clear, unambiguous consent. Consent can’t be coerced, and the request must be clearly presented in clear language. In other words, you can’t bury it in a lengthy Terms of Service or use confusing legal jargon. Consent must also be documented. Data subjects can rescind their consent whenever they choose, and children under 13 can only give consent with a parent’s express permission.
- Data processing is necessary to fulfill contractual or legal obligations.
- Processing the data will save somebody’s life.
- Processing the data is in the public interest.
- You have a legitimate interest for processing the data. This is the most flexible of the lawful bases, and it applies whenever an organization uses personal data in a way that the data subject would already expect. An example would be an insurance company that analyzes personal data to detect fraudulent claims. It’s important to note that when a data subject’s fundamental right to privacy is in conflict, it overrides legitimate interests.
If you meet one of the above requirements, you have a lawful basis for data processing. You’ll need to document this basis and notify data subjects.
If you need to change your legal justification you’ll need a sufficient, well-documented reason and you’ll need to notify your data subjects.
2. Obtain explicit consent from data subjects
You must explain how you process data in “a concise, transparent, intelligible, and easily accessible form.” Many organizations do this through a clearly-written privacy notice.
If your legal justification for processing personal data is that you have that data subject’s consent, then you must have obtained that consent in a way that is “clear, specific, informed, and unambiguous.”
GDPR provides a few conditions that must be met for consent to be valid.
- Data subjects can’t be coerced into giving consent. For example, you can’t refuse people from accessing products or services on the basis of whether they’ve consented to data processing activities.
You also can’t trick people into giving consent. For example, lumping a bunch of consent requests together but only having one “I agree“ checkbox that consents to all of them. You have to explain each use case for data processing and give data subjects the opportunity to consent (or not) to each one.
Lastly, consent must be clear and unambiguous. You can’t load a page with pre-checked consent boxes, and you can’t design a page so that consent is granted by inaction.
This all boils down to one main idea: data subjects have to make a free and informed decision to consent to data processing.
- You have to explain to data subjects exactly what they’re consenting to. They need to know who you are, how you will process their data, for what purpose, and whether you intend to share it with any third parties.
- The data controller must be able to prove that the data subject has consented to data processing.
- If the request for consent to the data subject is in a written document that contains other information, the request for consent must be separate from the other information and presented in clear language.
- You’re obliged to tell data subjects that they have a right to revoke consent at any time, and you have to make it easy for them to do so. This includes posting contact information for exercising consumer rights under GDPR in an easily accessible place.
3. Honor data subject rights
Data subjects have certain rights under the GDPR. These include:
- The right to be informed: You have to clearly explain how you process personal data and for what purpose. You must also make it easy for people to opt out and/or request their data be erased and respond to those requests in a timely manner. When collecting data from a data subject, you must also explain how and why. This requirement applies even if data is being transferred to a third party.
- The right of access: Data subjects have the right to know what personal data you’ve collected about them, where and how it’s being collected, why it’s being processed, and how long it will be retained.
- The right of rectification: Data subjects have the right to correct any inaccurate or incomplete personal data.
- The right to erasure: Also known as the right to be forgotten, data subjects can request that you delete their personal information (with a few special exceptions) and it should be easy for users to make these erasure requests.
- The right to restrict processing: Data subjects can also request that you change how you process their personal information if they have reason to believe the data is inaccurate, being used illegally, or no longer needed for your stated legal basis.
- The right to data portability: GDPR requires that you store personal data in a way that can be easily shared with others in the event a data subject requests it. If a data subject requests their personal data, you must provide it to them free of charge and in an easily accessible format.
- The right to object: Data subjects can object to your processing their personal data. You must honor that objection unless you can prove that you have a legal basis for processing it.
4. Put in place technical and organizational safeguards
Organizations must implement “appropriate technical and organizational measures” to ensure customer data is handled securely.
GDPR doesn’t specify exactly which security measures companies need to take. However, it does require that the organization assess the inherent risks in processing EU personal data, and implement appropriate levels of security measures that mitigate such risks by taking into account the confidentiality, integrity, and availability of processing systems and processes.
Each organization must establish a set of security controls that are most appropriate for its unique systems and processes. This can include measures like enabling multi-factor authentication, using end-to-end data encryption, implementing firewalls, establishing user access controls, and completing periodic security awareness training for staff.
5. Send breach notifications
Similar to HIPAA’s breach notification rule, GDPR requires that you notify affected data subjects within 72 hours of a data breach. If you can’t deliver a notification within 72 hours, you’ll need to have adequate justification for the delay.
Under GDPR, breach notifications must:
- Describe the scale and nature of the data breach, including the number of people and data records affected
- Explain the likely consequences of the personal data breach
- Share the steps taken by the data controller to address the breach
- List the name and contact details of the data protection officer where data subjects can request additional information
HIPAA Breach Notification Rule: What It Is + How To Comply
6. Appoint a data protection officer (if applicable)
Organizations are required to appoint a data protection officer (DPO) if:
- It acts as a public authority (other than a court acting in a judicial capacity)
- Its core activities require it to monitor people on a large scale
- Its core activities involve processing special categories of data, or data relating to criminal convictions and offenses
Data protection officers are responsible for overseeing the organization’s data protection strategy. This typically involves making sure employees are trained on GDPR requirements, completing regular compliance audits, and maintaining documentation and records of compliance.
Data protection officers also act as the main point of contact for both supervisory authorities and data subjects. If a data subject inquires about how their data is being processed or submits a request for erasure, the data protection officer must respond within one calendar month.
7. Design with privacy in mind
Article 25 of the GDPR states that organizations must consider data privacy and protection when designing any new products or services. At every stage of development, companies need to think about what personal data they absolutely need to collect from customers or users and how they will keep that data safe.
8. Conduct a data protection impact assessment
Whenever a data subject consents to data collection or processing, they are taking on a certain level of risk. Their data might be stolen or leaked and used for fraudulent purposes. A Data Protection Impact Assessment (DPIA) explains how your organization identifies and minimizes those risks.
DPIAs help improve organizational awareness around data protection risks so that you can fully design with privacy in mind. And they can help you clearly communicate with customers and users the exact steps you’re taking to secure their personal data.
9. Restrict personal data transfers
GDPR includes strict conditions for transferring personal data outside of the EU or European Economic Area (EEA). In cases where personal data is transferred outside of the EU or EEA, GDPR requires the relevant organizations (i.e., data importer and data exporter organizations) to adopt appropriate data protection safeguards that include technical and organizational measures.
Data transfers are allowed in the following cases:
- The European Commission (EC) reached an adequacy decision about the country where the receiver is based
- The transfer is covered by the appropriate safeguards listed in GDPR Article 46
- You have informed the data subject of possible risks and have their explicit consent
- The data transfer is necessary to fulfill contractual obligations with the data subject
- The data transfer is in the public interest or will protect an individual’s vital interests
- The data transfer is required to establish or defend a legal claim
- The transfer is being made from a public register
- It’s a one-off transfer that is in your legitimate interest
10. Complete regular privacy awareness training
Because GDPR legislation is fairly complex, training is required to help employees handle personal data securely. While the law doesn’t specify exact training requirements, the GDPR training you choose should cover what the law is and where it applies, the core principles of data protection, data subject rights, responsibilities of data controllers and data processors, and how to respond to a cybersecurity incident or data breach.
Training should be completed regularly — at least on an annual basis — for both new and existing employees involved in handling personal data.