The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world, yet few organizations are completely compliant with its statutes.
Complacency is dangerous territory. Non-compliant entities could be fined up to £18 million or 4% of annual global turnover (whichever is greater).
This post clearly outlines the standards set by the GDPR and provides a checklist to help organizations remain compliant.
What is the General Data Protection Regulation (GDPR)
The GDPR is a product of the European Union’s audacious data protection reform. The strict privacy standards were put into effect on May 25, 2018. This cybersecurity framework aims to protect the personal data of all people in the European Union.
The GDPR updates the 1950 European Convention on Human Rights to make it relevant for the digital age. Article 8 of the convention states that everyone has the right to respect private family life.
In the analog era that birthed the convention, the boundaries between public and private life were bold and easily identified. Today, they’re ambiguous and blurred. Without a clear and enforced standard like the GDPR, customers can never be confident that their private data, and therefore their private life, is being respected.
What is considered personal data under the EU GDPR?
According to Article 4 of the GDPR, personal data is defined as any information that relates to an identified or identifiable natural person. In other words, personal data is any data that is linked to the identity of a living person.
This doesn’t only include direct associations, such as financial information and addresses, but also indirect links such as evaluations relating to the behavior patterns of a person.
The definition of personal data is also format-agnostic, so it could include images, video, audio, numerals, and words.
Inaccurate information relating to data subjects is still considered personal data because this information is linked to an identity. If, however, the information is associated with a fictional entity, it’s not considered personal data. For example, if you refer to a fictional character residing in a fictional location, that is not considered personal data.
Who does the GDPR apply to?
The GDPR impacts any organization that offers goods and services to people in the EU, this includes entities that are not located in the EU. If you run a business online, you can never know for certain whether the people you transact with are located in the EU. For this reason, all online businesses should be GDPR compliant as a protective measure at the very least.
Personal data is funneled into two categories – to those that control the data and those that process the data.
The GDPR defines a controller as any individual, public authority, agency, or another body that determines the purpose and means of processing personal data. Controllers decide how personal data is processed.
For example, a music school uses a digital screen to notify parents in the waiting room when each teacher is ready. The screen displays the name of each child and the room number of their music lesson.
The music school is classified as the “controller” of personal data since it decides how the notification system should process all of the data.
The GDPR defines any individual, public authority, agency, or another body that processes personal data on behalf of a controller. Because processors are carrying out the data processing rules set by a controller, they’re not making decisions about how personal data is handled.
For example, a software company hires a marketer for an upcoming email campaign. The marketer is supplied with the names and email addresses of all leads so that personalized email can be sent to each one.
The software company is classified as the controller of personal data since it determines how the data should be handled. The marketer is classified as the “processor” since they’re carrying out the software company’s data processing instructions.
Even though processes are just following controller instructions, they are still expected to be GDPR compliant alongside processes because they’re handling personal data.
10 step checklist to be GDPR compliant
The following checklist will help businesses assess their current GDPR compliance status and also reform poor data handling practices to become more compliant.
1. Know all of the data you are collecting
If you don’t know how personal data flows through your internal systems, you don’t know how it is controlled. Here’s a simple 7 category framework for mapping all data sources with an example of an ebook download process:
- Ebook download form
- Full name.
- Email address.
- Business name
Reason for data collection
- Creating sales leads
How is collected data processed?
- Stored in the Mailchimp database.
- Accessed by internal email marketers.
When is the data disposed of?
- All unsubscribed leads are manually deleted from Mailchimp every 30 days.
Do you have consent to collect this data?
- Yes, the ebook download form included a message saying that all entries are added to the email list.
Does the collected data include sensitive information?
- Yes, full names and associated email addresses.
This filtration protocol should be applied to all internal data until you can confidently map the lifecycle of all data feeds.
Because the GDPR is focused on sensitive data protection it’s important to identify all instances of it and to classify each record by level of sensitivity.
The higher the sensitivity of data, the easier it is to identify and compromise an individual. Personally Identifiable Information (PII) is considered very sensitive and should be defended with the highest level of cybersecurity.
Are IP addresses classified as personal data?
IP addresses are classified as personal data if they can be linked to the identity of a person. For example, if a user’s IP address is collected alongside their email address, that would be considered personal data because the identity of the person is linked to their email address.
All personal data of people in the EU is strictly subject to GDPR compliance. If you’re not sure if the IP addresses you collect are classified as personal data, refer to the supervisory authority in your EU state.
2. Appoint a Data Protection Officer (DPO)
Article 37 of the GDPR states that both controllers and processes need to appoint a Data Protection Officer (DPO) to oversee the data protection strategy. Note that even processes are expected to have a data protection strategy even though they’re just following data handling instructions set by processors.
According to the GDPR, an organization must appoint a DPO if any of the following conditions are met:
- If data is processed by a public authority
- If collected data undergoes systematic monitoring
- If collected data is processed at a large scale
Unfortunately, the GDPR doesn’t define how large “large scale” is. Because of this ambiguity, many organizations are opting to appoint DPOs just to be safe.
Organizations should appoint DPOs where their data processing operations are centralized, even if it’s located outside the EU. If an organization is located in the EU, a DPO should be stationed in the member state of the company’s headquarters.
Ideally, the DPO should speak the same languages as the GDPR regulators in that state. This will help organizations understand, and therefore comply with, the GDPR nuances of that state.
Article 39 of the GDPR says that a DPO should be capable of completing the following duties:
- Confidently advising both controllers and processes of best GDPR compliance practices
- Monitoring data handling to ensure GDPR compliance
- Provide accurate advice about data protection impact assessments
- Act as the primary point of contact for all data processing inquiries
- Act as the primary point of contact between the company and GDPR regulators
- Have a clear understanding of all the potential risks associated with different processing operations
To effectively carry out these responsibilities, a DPO should possess expert knowledge of GDPR laws and best practices.
To support the efforts of DPOs, organizations should adopt an attack surface monitoring solution to identify vulnerabilities that could be exposing processed data.
3. Create a GDPR diary
A GDPR diary, or a Data Register, is a comprehensive record of how an organization is practicing GDPR compliance. This would need to be created after identifying all of your data sources (point 1 in this list).
A GDPR diary should map the flow of data through your organization, the more details that can be included the better. In the event of an audit, the GDPR diary will serve as proof of compliance.