GDPR Regulation and Requirements

The GDPR regulation came into effect in May 2018 and applies to any organisation that offers goods or services to the EU market. GDPR even applies if your firm is not based in the EU but your website has customers from the EU. Before delving into the details of the GDPR regulation and its requirements let’s clarify what GDPR aims to achieve and why it matters to you. Rest assured it does matter. Did you know privacy is a human right?

GDPR Regulation and Requirements explained

Table of contents

What does the GDPR regulation aims to achieve?

The GDPR regulation wants all organisations, large and small, including yours, to reflect on the personal data they use and be very deliberate and considerate with why and how they use it. So GDPR wants you to be more mindful when it comes to the personal data of your customers, staff, suppliers etc. Surely that is a good thing, something you can get behind, no?

Putting it differently, the GDPR regulation wants to put an end to organisations just collecting data on individuals because they can, because they think they might be able to profit from it now or in the future, and do so without much consideration and without informing you.

As you will see in the rules and requirements outlined below, GDPR does not really prohibit much. You can still engage in email marketing, you can still advertise, you can still sell data etc. as long as you provide transparency as to how you are respectful to the individuals’ privacy.

Why does it matter to you?

It matters to you if you are an organisation as it is mandatory to comply with the GDPR regulation. Increasingly so our professional and personal interactions are digital, so being considerate to individuals’ privacy is just the right thing to do. Customers expect their beloved shops to treat the personal data they provide with care, so having your GDPR in order is something that you can be proud of and your customers will love you for it.

As an individual GDPR gives you control over the personal data you provide to organisations. First of all GDPR gives you the right to be informed on what personal data organisations use and why. At the same time you have the right to be informed of how they safeguard your privacy. Additionally you can object to the usage of your data, request they delete your data or even request your data to be transferred to a competing service.

So let’s have a look at the core GDPR requirements.

1. Minimise your data usage

You as an organisation must ensure that you only collect the minimum data elements possible to achieve a set purpose. For example when you sell online you typically only need your users to provide an email and a password to have a working registration process. There is no need to ask users for their gender, place of birth or even their address as part of the registration process. When users continue to procure an item and want it shipped, at that stage you wil lbe entitled to request the user’s address as that is essential information to a shipping process.

When you minimise the data being collected you minimise the impact of any potential privacy or security related incident. Data minimisation is a core GDPR requirement and most powerful in its effect to safeguard your user’s privacy.

2. State your purposes & legal basis

Building on the data minimisation requirement, GDPR prescribes you can only use personal data for a stated and documented business purpose, underpinned by one of the 6 available GDPR legal basis. In other words your usage of personal data is limited to a stated purpose and legal ground. All processing of personal data you undertake should be documented in a GDPR register along with its purpose and legal basis. For example:

  • Process name: user registration
  • Description: process for the user to register on the website and have an account
  • Purpose: to allow users to have an account to save its preferences and order items
  • Legal basis: Contract

This documentation forces you to reflect on each processing activity and carefully consider its purpose and the legal basis for it. GDPR allows 6 legal basis:

    1. Contract

The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

    1. Legal obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

    1. Legitimate interest

You or a third party have a legitimate interest that makes processing the data necessary, and there is no other individual’s interests, rights or freedoms that outranks your interest. For example you might have a legitimate interest in marketing your goods to existing customers to increase sales.

    1. Consent

The individual has given clear consent for you to process their personal data for a specific purpose.

    1. Vital interest

The processing is necessary to protect someone’s life, e.g. in an emergency situation.

  1. Public interest

The processing is necessary for you to perform a task in the public interest or for your official function and the task or function has a clear basis in law.

When you buy into a service from an organisation (e.g. an online retail service), the core activities that make up that service e.g. paying for the items and shipping the items are essential to delivering the service. As a result the processing of your personal data for these purposes can typically fall under the GDPR legal basis contract. In other words the organisation states they are performing these activities with your personal data in order to fulfil the contract you have with them. You in fact expect them to perform these activities so you can enjoy their service as you contracted them to do so. Some activities the organisation performs are to satisfy its legal obligations e.g. invoice you, take back damaged goods. And here again you expect them to do so.

For most firms things get increasingly weak beyond contract and legal obligation. As a third option organisations can call on their legitimate interests to process an individual’s personal data e.g. send emails about new products and services. However users do have the right to object to this type of processing and ask for it to stop.

A final option for most organisations in terms of legal basis is consent. This means that the organisation could not rely on a contract, a legal obligation or any legitimate interest and is left to be asking consent from the user for the processing of the personal data. Consent has gotten a lot of attention as part of the cookie popup, but now you understand its legal basis is actually quite weak and should be considered as a last resort really. We have a dedicated section on consent further down in this document. For the sake of completeness, do note that vital interest as a legal basis does apply for example to the medical profession, and the public interest legal basis applies to public bodies.

Creating such a GDPR register listing all processing of personal data your organisation undertakes might sound challenging but this where GDPRWise can help. For over 30 sectors we have created such a register that you can leverage. All you need to do is verify and refine where needed. Check out our GDPRWise how it works page.

3. Maintain your GDPR Register

There is great power in creating a simple list. You probably create lists all the time: your todo list, your shopping list, a list of prospects to contact, a list of invoices to settle etc. Creating a list forces you to reflect on the topic and consider which item makes it on the list and which item does not. Having a list means that you now have a basic bit of documentation, which can be leveraged and extended subsequently. You can now even share the list with a colleague so you can communicate the contents and collaborate to improve where needed.

GDPR requires an organisation to maintain a Register of Processing Activities. When your national supervisory authority comes knocking on your door, the GDPR Register will most likely be the first document they ask for. Your GDPR register needs to list all personal data processing you undertake along with some core information elements:

  • Description of the data processing
  • Party responsible for the data processing
  • Business purpose
  • Legal basis
  • Type of data items involved
  • Data retention period
  • Security arrangements made
  • Parties the data is being shared with
  • Where is the data being processed

Creating such a GDPR register listing all processing of personal data your organisation undertakes might sound challenging but this where GDPRWise can help. For over 30 sectors we have created such a register that you can leverage. All you need to do is verify and refine where needed. Check out our GDPRWise how it works page.

4. Publish your Privacy Policy

GDPR imposes a duty on all organisations to inform its users and provide transparency on its data privacy practices. In short, your organisation needs to publish a privacy policy so individuals can read up on the data you collect and on your privacy measures before using your service.

Before you start googling to quickly copy and paste some text from the internet, do know that your privacy policy needs to reflect your organisation’s data footprint and the privacy measures you implemented. Anything else risks to misinform your customers and exposes you to challenges and fines.

In its push to increase transparency, GDPR requires your privacy policy to be concise, specific and using clear and plain language. A policy with lots of broad and general statements or filed with legal jargon is simply not acceptable. The GDPR regulation also specifies the information elements that should be included as a minimum:

  • Identity and contact details of the data controller and its representative
  • Description of the data processing activities
  • Description of the business purposes and associated legal basis
  • Type of data items involved
  • Data retention period
  • The source of the data, if the data was not provided by the user
  • Any parties the data is being shared with
  • Any data transfers outside the EU
  • Inform users of their GDPR data subject rights
  • Inform users on how to lodge a complaint with the a supervisory authority

As you can see most of the information that must feature in your privacy policy is also part of your GDPR register. So your efforts to create a GDPR register can be leveraged. In fact we at GDPRWise can generate your privacy policy from the content of your register with a single click. As mentioned we have created a filled-in GDPR Register for over 30 sectors for you to make your own in no time. Check out how it works.

Do note that if your organisation employs any staff, you will be processing some of their personal data as well. Your duty to inform and provide transparency extends to all individuals you process personal data on. So having a privacy policy specifically to inform your staff is mandatory.

5. Capture your data sharing activities

Up to now, you might not really haven given it much thought, but chances are your firm is already sharing quite a bit of personal data with a number of third parties. Surprised?

  • Every organisation has an accountant. The invoices and bank statements you share with your accountant contain personal data items on your customers, suppliers and staff
  • If you have staff, the wage and benefit calculation is typically complex and often gets outsourced to an HR service provider. As a result you share personal data on your staff with that third party
  • When you use cloud or hosted software to support the running of your organisation e.g. client relationship management software, sales platform (Booking.com, AirBnB etc.) accounting software, marketing platform (Mailchimp, Hubspot etc.) the software vendor might very well have access to some of the data in that software in order to be able to support you.
  • Delivery, shipping and transportation services like DHL, UPS, Uber etc. you share names and addresses with
  • Social media platforms like Facebook, Instagram, Pinterest, Linkedin, Youtube etc.

As you can see, even if your organisation is not on social media, you are likely to be sharing some data with some third parties. GDPR does not forbid those interactions but does have the following requirements:

  1. You are required to inform individuals about any sharing of their personal data and outline whom their data is shared with, for what purpose and on which legal basis. In short your Privacy Policy and GDPR register needs to document the transfer correctly.
  2. Any transfer of personal data can be only be used by the receiving third party for the documented purpose.
  3. If the legal basis for the sharing is your organisation’s legitimate interest then the user has the right to object and you will most likely need to stop and undo any sharing.
  4. Special category data (medical data, race & ethnicity etc. see GDPR Art. 9) can never be shared on the basis of legitimate interest.
  5. Any transfer of personal data outside the EU is subject to additional requirements. It would be advisable to make sure the receiving party resides in a country that the EU has deemed to have equivalent security practices and safeguards. If you want to transfer data to a non-equivalent country, please do seek legal advice.

6. Honour data subject rights

GDPR puts all of us in control of our personal data, which is one of the great benefits of the regulation. Whenever organisations process our personal data, GDPR gives us a set of rights we can call upon. Examples are: right to be informed, right to withdraw consent, right to access your data, right to be forgotten etc. You are no longer powerless, you can exercise those rights at any time.

From the perspective of the organisations using the personal data of individuals, the first thing you need to do is to ensure you inform individuals about their rights. In other words your privacy policy should outline the data subject rights and how users can exercise those. Moreover you should also outline how users can lodge a complaint with the supervisory authority if they would want to do so. We at GDPRWise ensure that the privacy policies you generate with us have the right data subject clause in them, so do check out how it works.

Not only do you need to inform your users, you also need to implement the appropriate processes within your organisation to ensure you can swiftly act on requests from individuals. GDPR typically provides organisations with a month of response time. We advise you to set up a dedicated privacy mailbox so no data subject request gets missed. If desired you can also look at outsourcing these tasks to parties that offer Data Rep and DPO type services.

7. Consent

Consent is probably the least loved GDPR topic given almost every website forces you to wrestle past a cookie consent popup, before you can access the actual website. Before we go elaborate on the cookie part, you already understand from the above that consent is one of the 6 legal basis that GDPR allows for any processing of personal data.

There are a number of requirements to the Consent capture. Consent should be…

    1. Freely given

The individual should be offered a real choice, without being pressured into proving consent by for example labouring any negative effects. As a result, an employer requesting consent from its employee for some processing will rarely be considered to be freely given. If for example a Quiz app requests your consent for tracking your location and although location tracking is not essential to play the game, but the app does not function without your consent; then here as well the consent is not considered freely given.

    1. Specific

For each specific purpose consent should be requested. In other words, when the processing has multiple purposes, consent should be given for all of them separately. For example you can not request consent for a newsletter feature and sharing of data with commercial partners at the same time. Users should be able to consent to and withdraw consent from any specific processing purpose.

    1. Informed

The request must be clear, concise and in plain language prior to the processing taking place. At the same you should inform your users that they can withdraw consent and all times and how to go about this. All the consent related information should be clear and easily understandable and by no means buried in some other legal or contractual clauses.

    1. based on a clear affirmative act

Silence, pre-ticked boxes or inactivity do not constitute consent. You can include an empty ticking box on your website. Do make sure of course you also cover the other consent requirements.

    1. Demonstrable

The data controller i.e. the main responsible party for the processing should at all times be able to demonstrate that the user has given its consent to the processing operation.

    1. as easily revoked as given

When it just takes the clicking of a checkbox on a website to consent, then the revoking of the consent should be as easy as that. Classic examples where retailers make it difficult to unsubscribe by for example insisting you call a number are as result not in compliance and you can easily challenge and even report to your supervisory authority.

Do note that for the special category data (GDPR art. 9) such as medical data, any consent here should be explicit. Any explicit consent goes beyond the normal consent and requires for example a signature or extra confirmation via email.

Aha yes, and what about those dreaded cookie consents?

A cookie (also called web cookie, Internet cookie, browser cookie) is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser when the user is visiting the website. GDPR did put the spotlight on cookies as they were typically saving bits of personal data upon visiting a website without your knowledge. You could compare public internet websites with public areas in the real world really. How would you feel if in the real world someone would start harvesting personal details about you without any notice or you being aware?

Cookies were designed for websites to remember information the user previously entered on the website e.g. names, addresses, credit-card numbers etc. They also remember if you are logging in, or recording settings and preferences you have on the site. Cookies that contain personal data should be encrypted to prevent hackers from reading the information within or even gain access (with the user’s credentials) to the website to which the cookie belongs. So do confirm with your software vendor and IT support teams what type of cookies your website or internet software sets and if content is encrypted.

A special category of cookies are the tracking cookies which are commonly used as ways to compile long-term records of individuals’ browsing history. Given this practice very clearly consists of the collection of personal data it is in scope of GDPR. GDPR insists all personal data collection to be minimal and substantiated i.e have legal basis.

Given its often questionable motives with no real link to the service the customer is after, one is left with asking the user nicely if he or she wants to be subjected to it, in other words asking consent in line with the above stated consent requirement.

8. Implement appropriate security measures

No privacy without good security. You can have the best privacy arrangements but when your security is not up to scratch it will inevitably lead to unauthorised disclosures.

Important to note is that security is not one thing, but a collection of approaches, practices and measures that are only as strong as their weakest link. We have created a knowledge base item Data Security – what to consider for your benefit. The associated knowledge base items also include practical tips such as a list of questions you can put to your IT support partner.

When you are up to speed with the basics on data security you and your IT support partner are advised to leverage your GDPR register and to work through the list of systems being used. As a minimum you want to review the below aspects:

    • Is the physical security appropriate?

Is the system in a physical location that is appropriately safe and secure? For any systems that are world-renowned cloud systems (e.g. Microsoft.com, Shopify.com) the answer is mostly Yes and evidenced by the security certifications they have obtained and published. For any systems your firm hosts, you want to make sure you have measures in place to ensure that only appropriate people can access the premises, office, shop server room, filing cabinet etc. For the inevitable paper documents most firms still hold, we have created a dedicated knowledge base item, Data Security for paper documents.

    • Is the system & software security appropriate?

Do check out our dedicated knowledge item, Security for systems and software – principles to further explore this topic. There are a number of aspects you should review and measures you can apply. Some examples here: do all systems have the latest security patches applied? Do all systems have appropriate access control enforced? Where possible, do you have two-factor authentication enabled? Does the system enforce strong passwords? Can we remove or hide data items we do not use in line with the GDPR data minimisation principle?

    • Is data security appropriate?

For the SME there are two core aspects to check here: backups and data encryption. Confirm that systems are backed up and that those backups are in a safe place. At the same time, you want to test from time to time that a restore can successfully be executed. On the data encryption side, confirm that all personal data is encrypted both at rest and in transit. Do check out our dedicated knowledge base item, Data Security – what to consider? for more information.

    • Are all measures regularly reviewed?

Your security defences need regular review and updates. This not only holds true for your equipment and infrastructure but also for the humans operating and using those. We want to emphasise the importance of not overlooking the human factor as it has been proven over and over again to be the weakest link in a security and privacy defence. You need to ensure that the right security & privacy habits are taught and applied in the day-to-day of your business. There are lots of online learning platforms that offer Security Awareness Training and Data Privacy Training at very affordable prices. Ensuring that all new joiners and all staff go through those training courses at least once a year is essential to running a secure and privacy compliant operation. It is recommended that you implement a code of conduct that includes security & privacy as well as other ethical business practices.

9. Implement breach monitoring & reporting

The GDPR regulation defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data be it when stored, transmitted or otherwise processed.

GDPR aims to ensure all firms take personal data seriously and look after it with great care. A data breach is a most serious event with potential serious repercussions both for the firm and any of the persons affected.

You are required to keep a log of any and all breaches, even the smallest incidents should be recorded. The log should describe the incident itself, the cause, repercussions, risk of future damage, affected data and measures taken to mitigate the risks to further damage. You can explore our template for such incident log here.

Breaches with a likely impact to rights and freedoms of individuals must be reported to the supervisory authority and potentially the affected individuals.

It is vital that firms implement appropriate technical and organisational measures to avoid possible data breaches. At the same time firms will need to make sure their systems are monitored for data breaches. One can not report on potential personal data breaches if one has no way of detecting such breach. Specialised software exists to detect system intrusion and you should confirm with your software vendors and IT teams that those are deployed for your processing.

Not all data breaches are caused by malicious third parties like hackers. There are plenty of examples of accidental loss or accidental unauthorised access:

  • A member of staff losing a USB stick/drive that had personal data files on it with the drive nor the data files being encrypted
  • A member of the sales staff accidentally posts a revenue report containing names and financial details from customers on the public website rather than the intranet team site
  • A member of staff attaches the wrong file to an email, resulting in accidental disclosure of personal data
  • A member of staff accidentally deletes client records leading to loss of personal data

A corporate culture where data security & privacy are a core value will not only help prevent such accidents it will often also help minimise the impact. The human factor and ensuring all staff go through regular security & privacy awareness trainings is key to establishing the right security & privacy culture.

10. Privacy by design

The end goal for GDPR is really to ensure that privacy is front and centre for you and all organisations across all its activities. As early as the stage of new ideas and plans, you should already have the privacy reflex to ensure you minimise the use, limit the purpose, capture the legal basis, be considered to user’s rights, be mindful when sharing, consider how to inform users and ensure appropriate security measures. It should come second nature to you and your organisation to have privacy by design or a privacy first approach. Privacy is a human right. Your users trust you treat their personal data with the care it deserves.

We have also created a number of training video’s which you might find useful. For example this video on the Essence of GDP. The video is available in several languages.