If you own a blog or a similarly uncomplicated website, you might be pondering whether the regulations for commercial sites and apps are relevant to you.
To help you figure that out, here are a couple of considerations:
- Are you gathering or engaging with your readers’ personal information (like names, usernames, emails, IP addresses, session activities, or payment details)?
- Do you offer a contact form or a sign-up option for newsletters?
- Are you utilizing any third-party tools or services (such as Google Analytics or AdSense)?
If you’ve answered affirmatively to any of these, then many of the same privacy guidelines that govern commercial websites and apps are likely to apply to you as well.
What is GDPR Compliance?
Being GDPR compliant entails adhering to the guidelines set by the General Data Protection Regulation (GDPR) in handling personal data within an organization.
The GDPR establishes obligations that organizations must adhere to regarding the usage of personal data. Additionally, it outlines eight rights for data subjects, granting individuals specific entitlements concerning their personal information. This regulation ultimately empowers individuals by granting them more control over their personal data and its usage.
General Data Protection Regulation (GDPR)
Source: Largest fines issued for General Data Protection Regulation (GDPR) violations as of May 2023
GDRP Terminology:
- Data Subject: This term refers to any individual who resides within the EU and whose personal data is collected, processed, or stored by a controller or processor. The GDPR safeguards the rights of these individuals concerning their data.
- Data Controller: The entity or organization that determines the purposes and means of processing personal data falls under the role of a Data Controller. This role carries the responsibility of ensuring compliance with GDPR regulations.
- Data Processor: Collaborating closely with the Data Controller, the Data Processor handles personal data on behalf of the controller. This role involves processing activities as directed by the controller and ensuring adherence to data protection regulations.
- Processing: It encompasses a broad spectrum of operations performed on personal data or datasets. This includes collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, and more.
- Personal Data: This term encompasses any information relating to an identified or identifiable natural person (‘data subject’). It covers a vast array of information, from basic identifiers like names and email addresses to more sensitive details, including biometric, financial, or cultural information.
- Consent: Obtaining valid consent from data subjects is a critical aspect of data processing under the GDPR. Consent must be freely given, specific, informed, and unambiguous, indicating the data subject’s agreement to the processing of their personal data for specified purposes.
Does GDPR Apply to US Companies?
Absolutely. To determine if your organization falls under its jurisdiction, you’ll need to assess its scope. If your company handles the personal information of EU residents—either for business transactions, services, or monitoring their behavior—then complying with the GDPR might be necessary.
The GDPR’s Material Scope involves any processing of personal data, whether automated or part of a filing system. This covers a wide array of activities, including collecting, storing, accessing, analyzing, or deleting personal data.
Regarding the Territorial Scope, the GDPR applies to EU-based controllers or processors. It extends extraterritorially to controllers or processors outside the EU if they offer goods or services to EU data subjects or monitor their behavior. For instance, a US-based online store catering to EU customers or even non-profit organizations collecting data from EU visitors might fall within the GDPR’s purview.
So, yes, even US entities can come under the GDPR’s umbrella if they handle EU residents’ data or offer services to them. Understanding these scopes is vital in determining whether compliance with GDPR is necessary for a US-based company.
GDPR Data Subject Rights:
The General Data Protection Regulation (GDPR) puts forth a comprehensive framework outlining eight fundamental rights for individuals in relation to their personal data. These rights are complemented by the right to withdraw consent. Let’s delve into the specifics of each of these rights:
- Right to be Informed (GDPR Articles 12 to 14): This right ensures that individuals are informed about the collection and utilization of their personal data. It encompasses transparency in data processing, including the purposes for which data is gathered and how it will be used.
- Right to Access (GDPR Article 15): Individuals have the prerogative to access and request copies of their personal data that is held by data controllers. This empowers them to understand and verify the lawfulness of the processing of their information.
- Right to Rectification (GDPR Article 16): Individuals possess the right to request rectification or correction of inaccuracies or outdated information within their personal data held by controllers. This ensures the accuracy and relevance of the information.
- Right to be Forgotten / Right to Erasure (GDPR Article 17): This right enables individuals to request the deletion or removal of their personal data under specific circumstances. However, it’s important to note that this right is not absolute and can be subject to legal exemptions and considerations.
- Right for Data Portability (GDPR Article 20): Individuals have the right to request their personal data in a structured, commonly used, and machine-readable format. They can then transmit this data to another controller or use it for their own purposes.
- Right to Restrict Processing (Article 18): Individuals have the authority to limit or suppress the processing of their personal data. This right may come into play when accuracy or legality is contested, or during the period when a data subject exercises their other rights.
- Right to Withdraw Consent (GDPR Article 7): Individuals can retract their previously granted consent for the processing of their personal data. This emphasizes the importance of voluntary and informed consent in data processing activities.
- Right to Object (GDPR Article 21): Individuals have the right to object to the processing of their personal data, especially in cases where the processing is carried out for direct marketing or legitimate interests pursued by the data controller.
- Right to Object to Automated Processing (GDPR Article 22): This right empowers individuals to object to decisions made solely through automated processing, including profiling, if these decisions significantly affect them.
11- Step GDPR Compliance Checklist:
Step 1: Craft an Actionable Strategy Utilizing the 7 Principles of the GDPR
The GDPR lays down seven fundamental principles that should form the foundation of your approach towards processing personal data:
- Lawfulness, Fairness, and Transparency: Ensure every processing activity has a legal basis. Processing should be predictable, and individuals should be informed about it.
- Purpose Limitation: Clearly define and document the reasons for processing in privacy notices. Restrict processing to these specified purposes.
- Data Minimization: Process only the necessary personal data required for the intended purposes.
- Accuracy: Guarantee the accuracy and currency of processed personal data. Rectify or delete inaccurate data promptly.
- Storage Limitation: Retain personal data only as long as necessary for the specified purposes.
- Integrity and Confidentiality (security): Implement adequate security measures to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage of personal data.
- Accountability: Take ownership of data processing activities and maintain appropriate measures and records to showcase compliance with these principles.
The GDPR mandates the adoption of suitable technical and organizational measures to effectively uphold these data protection principles and safeguard the rights of data subjects. This approach, termed ‘data protection by design and by default,’ requires integrating data protection into your business practices and processing activities right from the design phase throughout the entire data processing lifecycle.
Step 2: Establish a Processing Register in Accordance with Article 30
The GDPR mandates that organizations maintain comprehensive records of their processing activities, ensuring these records remain current. Data mapping involves outlining operational processes to create a centralized inventory of an organization’s data flows and maintaining its accuracy.
While the GDPR doesn’t explicitly refer to data mapping, it necessitates controllers and processors (both B2B and B2C) to uphold an inventory of processing activities. GDPR’s Article 30 delineates specific requirements, prompting organizations to update or redo any existing data mapping to align with GDPR stipulations.
Step 3: Implementing Data Protection Impact Assessment (DPIA) and Privacy by Design
Under the GDPR, controllers must conduct a Data Protection Impact Assessment (DPIA) when processing operations pose a high risk to individuals. The GDPR’s intricate details make this assessment more comprehensive than a standard questionnaire. For instance, it may involve the engagement of a Data Protection Officer (DPO) in specific workflows, tracking mitigation activities, documenting risks in terms of harm to individuals, conducting consultations with data subjects, and more.
Moreover, organizations often deploy a streamlined screening questionnaire to evaluate risk levels, deciding whether a full DPIA is necessary. Meeting these workflow and documentation requisites, addressing user experience needs, and integrating seamlessly into business operations often necessitate purpose-built tools to effectively operationalize GDPR compliance.
When properly implemented, the DPIA serves as a robust approach to fulfilling the requirement for Data Protection by Design and Default.
Step 4: Develop a Consent Management Framework
The GDPR establishes stringent criteria for organizations processing data based on consent. Consent under GDPR requires specific attributes: it must be explicit, transparent, easily understood, devoid of complex legal jargon, separate from other notices, and simple to revoke. Additionally, organizations must demonstrate receipt of consent in detailed and precise manners.
Step 5: Ensuring Compliance with EU Privacy Cookie Regulations
The ePrivacy Directive mandates that organizations disclose their use of cookies, outlining their functionality and purpose, and obtain explicit and demonstrable consent from users. This consent process must be clear, active, and provide detailed information about cookie functions, the deploying organizations, and data usage. However, exemptions exist for essential cookies required for services, such as retaining items in an online basket or ensuring security in online banking. This directive extends its scope to other technologies storing or accessing device information, like SDKs for mobile apps.
These requirements persist irrespective of whether the cookies process anonymous or personal data. Even for anonymous cookie data, consent must adhere to GDPR standards. Should the cookie data involve personal information, organizations must additionally comply with GDPR regulations, necessitating actions like conducting a Data Protection Impact Assessment (DPIA) and recording such processing in their records.
The GDPR has significantly influenced the drafting of the ePrivacy Regulation, expected to supersede the ePrivacy Directive, aligning more closely with GDPR provisions. This transition foresees increased penalties and stricter regulatory actions under the forthcoming ePrivacy Regulation.
Step 6: Developing a Data Subject Rights (DSAR) Request Portal
The GDPR bestows upon data subjects specific rights, encompassing data portability, access, erasure (or “right to be forgotten”), rectification, and more. Moreover, the regulation mandates particular record-keeping standards concerning response times, extension requests, identity validation, secure transmission of responses to individuals, and other obligations. Establishing an automated portal capable of managing, sorting, and documenting these requests is a pivotal measure in effectively handling, monitoring, and reporting on DSAR (Data Subject Access Request) inquiries.
Step 7: Assess and Address Processor Risks
The GDPR assigns accountability to the controller for actions or breaches by processors. Examining processor data transfers and contractual commitments with the same rigor as internal processing activities is crucial. This approach ensures a defensible stance in case of a processor breach, enabling swift comprehension of the impacted data in such incidents.
Step 8: Establish an Incident Reporting & Breach Management Workflow
The GDPR mandates stringent notification requirements, necessitating reporting to the supervisory authority within 72 hours of a data breach. Furthermore, if the breach poses a high risk to individuals’ rights and freedoms, an additional notification to the data subjects is mandatory. Organizations must establish a systematic process to meet these stipulated requirements effectively.
Step 9: Evaluating Cross-Border Data Transfer Mechanisms
The GDPR necessitates an equivalent level of protection for personal data transferred outside the European Economic Area (EEA). Organizations must review and ensure they have appropriate mechanisms in place to facilitate cross-border data transfers.
When transferring personal data to a third country, the initial consideration involves assessing the existence of an ‘adequacy decision.’ This decision signifies that the European Commission has deemed a third country or international organization as providing an adequate level of data protection. However, these decisions remain subject to Commission review and potential reversal, exemplified by instances like the EU-US Privacy Shield. Moreover, post-Brexit, the European Commission granted the UK two adequacy decisions.
In the absence of an adequacy decision, the GDPR permits data transfers if the controller or processor has implemented ‘appropriate safeguards.’ The widely used safeguard is the ‘Standard Contractual Clauses’ (SCCs), outlining obligations for both the data exporter and importer while ensuring rights for data subjects.
Although data transfers are possible without adequacy decisions or appropriate safeguards, organizations can rely on derogations, such as explicit consent from data subjects or transfers necessary for contractual performance. However, these alternatives are less recommended due to heightened risks of potential data breaches in the absence of adequate safeguards.
To delve deeper into the Schrems II Ruling, explore DataGuidance’s comprehensive guide on Understanding Schrems II.
Step 10: Implementing GDPR Compliance Training
The GDPR mandates a Data Protection Officer (DPO) to oversee an organization’s compliance efforts, including raising awareness and training staff. It’s crucial for organizations to provide initial and ongoing training to their staff, maintaining records of these sessions to demonstrate compliance.
Learn more here.
Step 11: Appointing a Data Protection Officer (DPO)
The GDPR mandates organizations to appoint a Data Protection Officer (DPO) in specific circumstances, such as being a public authority, conducting large-scale monitoring, or processing sensitive data categories. The DPO plays a pivotal role in ensuring GDPR compliance, overseeing internal monitoring, advising on data protection obligations, guiding Data Protection Impact Assessments (DPIAs), and serving as a point of contact for data subjects and regulatory authorities.
Best GDPR Blogs & News Websites (General Data Protection Regulation)
Location: UK
Specialization: Information law, data protection, GDPR, privacy, and surveillance.
Act Now Training’s blog offers a diverse array of content covering information law, data protection, GDPR compliance, privacy, and surveillance. It provides insightful analysis, commentary, and satire on legal intricacies, practical compliance, and industry-specific nuances.
Location: Chicago, Illinois, US
Specialization: Global Privacy and Data Protection Resource covering GDPR, cybersecurity, compliance, and EU regulations.
DLA Piper’s blog serves as a comprehensive global resource center, providing extensive insights into GDPR, cybersecurity, compliance, and EU regulations. It offers detailed articles, analyses, and resources addressing critical aspects of data privacy and protection.
3. Privado
- Specialization: GDPR compliance measurement and automation for privacy teams.
Privado focuses on aiding privacy teams in assessing GDPR compliance efficiently. It assists in identifying privacy gaps, streamlining evidence collection, and automating compliance workflows for enhanced efficiency.
4. OneSpan
- Location: Chicago, Illinois, US
- Specialization: Enabling trusted identities, devices, and digital transformation for financial services.
OneSpan’s blog concentrates on advancing digital transformation, especially in financial services. It covers topics related to trusted identities, secure devices, and facilitating secure digital transactions.
Location: London, England, UK
Specialization: Advocacy against state and corporate surveillance, promoting security and freedom for individuals.
Privacy International strives to challenge excessive state and corporate surveillance. It aims to secure greater freedom and security for individuals worldwide through advocacy and awareness campaigns.
6. Formiti Data Privacy Consultancy Blog
- Location: Birmingham, England, UK
- Specialization: Global data privacy, data regulation news, and updates on various regulations.
Formiti’s blog covers global data privacy and regulation news, offering insights into an array of regulations. It provides comprehensive updates on the evolving landscape of data privacy globally.
- Location: London, England, UK
- Specialization: Spreading awareness about GDPR and aiding companies in compliance with EU privacy regulations.
SEERS co group aims to raise awareness about GDPR compliance and provides support to companies to ensure adherence to EU privacy regulations.
8. Tsaaro Blogs
- Location: Bangalore, Karnataka, India
- Specialization: Techniques to safeguard data, protect privacy, and prevent malicious attacks.
Tsaaro’s blog delves into various data protection techniques, focusing on safeguarding data, ensuring privacy, and preventing malicious cyber attacks.
9. Hawktalk
- Specialization: Specialist information for Data Protection and Freedom of Information (FOI) Officers.
Hawktalk, by Amberhawk Training Limited, publishes specialist information aimed at Data Protection and FOI Officers, offering thought-provoking insights and specialized knowledge in these domains.
- Location: Oslo, Norway
- Specialization: Industry-leading discussions and advice on privacy and data protection.
White Label Consultancy’s blog provides industry-leading discussions, practical advice, and expert insights for professionals navigating the complexities of privacy and data protection.
Conclusion:
In today’s digital landscape, GDPR compliance stands as an indispensable pillar for businesses. It mandates a stringent framework to safeguard the privacy and rights of individuals concerning their personal data. Implementing GDPR necessitates an in-depth comprehension of data handling, security protocols, and consent procedures. Non-compliance poses a significant risk, leading to substantial penalties. Thus, adherence to GDPR is paramount for organizations across the globe to ensure trust, transparency, and data protection.
FAQs on GDPR Compliance:
What are the repercussions of GDPR non-compliance?
Non-compliance with GDPR can lead to hefty fines, potentially reaching up to €20 million or 4% of the organization’s global annual turnover, alongside reputational damage and loss of trust.
How can organizations ensure GDPR compliance?
Organizations should conduct regular data assessments, implement robust security measures, acquire valid consent for data processing, appoint a Data Protection Officer (DPO) where required, and continuously update and monitor their data practices.
What rights do individuals possess under GDPR?
Individuals have rights including access, rectification, erasure, restriction of processing, data portability, and the right to object to the processing of their personal information.