GDPR Regulation and Requirements
The GDPR regulation came into effect in May 2018, and applies to any organisation that offers goods or services to the EU market. GDPR even applies if your firm is not based in the EU but your website has customers from the EU. Firstly, before delving into the details of the GDPR regulation, and its requirements, let’s clarify what GDPR aims to achieve and why it matters to you. Rest assured, it does matter. Did you know privacy is a human right?
Table of contents
- What does the GDPR regulation aims to achieve?
- Why does it matter to you?
- 1. Minimise your data usage
- 2. State your purposes & legal basis
- 3. Maintain your GDPR Register
- 5. Capture your data sharing activities
- 6. Honour data subject rights
- 7. Consent
- 8. Implement appropriate security measures
- 9. Implement breach monitoring & reporting
- 10. Privacy by design
What does the GDPR regulation aim to achieve?
The GDPR regulation wants all organisations, large and small, including yours, to reflect on the personal data they use and be very deliberate, and considerate with why and how they use it. Therefore, GDPR wants you to be more mindful when it comes to the personal data of your customers, staff, suppliers etc. Surely that is a good thing, something you can get into, no?
Putting it differently, the GDPR regulation wants to put an end to organisations just collecting data on individuals because they can, because they think they might be able to profit from it now, or in the future, and do so without much consideration and without informing you.
As you will see in the rules and requirements outlined below, GDPR does not really prohibit much. Therefore, you can still engage in email marketing and advertising, you can still sell data etc. as long as you provide transparency as to how you are respectful to the individuals’ privacy.
Why does it matter to you?
It matters to you if you are an organisation, as it is mandatory to comply with the GDPR regulation. Increasingly so, our professional and personal interactions are digital, so being considerate to individuals’ privacy is just the right thing to do. Customers expect their beloved shops to treat the personal data they provide with care, so having your GDPR in order is something that you can be proud of, so your customers will love you for it.
As an individual GDPR gives you control over the personal data you provide to organisations. First of all GDPR gives you the right to be informed on what personal data organisations use, and why. At the same time, you have the right to be informed of how they safeguard your privacy. Additionally, you can object to the usage of your data, request they delete your data or even request your data to be transferred to a competing service.
So let’s have a look at the core GDPR requirements.
1. Minimise your data usage
You, as an organisation, must ensure that you only collect the minimum data elements possible to achieve a set purpose. For example, when you sell online, you typically only need your users to provide an email and a password to have a working registration process. There is no need to ask users for their gender, place of birth or even their address as part of the registration process. When users continue to procure an item and want it shipped, at that stage you will need to ask for the user’s address as that is essential information to a shipping process.
As a result, when you minimise the data being collected, you minimise the impact of any potential privacy or security related incident. Data minimisation is a core GDPR requirement and most powerful in its effect to safeguard your user’s privacy.
2. State your purposes & legal basis
Building on the data minimisation requirement, GDPR prescribes that you can only use personal data for a stated and documented business purpose. This is underpinned by one of the 6 available GDPR legal basis. In other words, your usage of personal data is limited to a stated purpose and legal ground. All processing of personal data you undertake should be documented in a GDPR register along with its purpose and legal basis. For example:
- Process name: user registration
- Description: process for the user to register on the website and have an account
- Purpose: to allow users to have an account to save its preferences and order items
- Legal basis: Contract
This documentation forces you to reflect on each processing activity and carefully consider its purpose and the legal basis for it. GDPR allows 6 legal basis:
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation
The processing is necessary for you to comply with the law (not including contractual obligations).
- Legitimate interest
You, or a third party, have a legitimate interest that makes processing the data necessary, and there is no other individual’s interests, rights or freedoms that outranks your interest. For example, you might have a legitimate interest in marketing your goods to existing customers to increase sales.
The individual has given clear consent for you to process their personal data for a specific purpose.
- Vital interest
The processing is necessary to protect someone’s life, e.g. in an emergency situation.
- Public interest
The processing is necessary for you to perform a task in the public interest, or for your official function and the task, or function, has a clear basis in law.
When you buy into a service from an organisation (e.g. an online retail service), the core activities that make up that service e.g. paying for the items and shipping the items, are essential to delivering the service. As a result, the processing of your personal data, for these purposes, can typically fall under the GDPR legal basis contract. In other words, the organisation states that they are performing these activities with your personal data in order to fulfil the contract you have with them. You, in fact, expect them to perform these activities so you can enjoy their service as you contracted them to do so. Subsequently, some activities the organisation performs, are to satisfy its legal obligations e.g. invoice you and take back damaged goods. And, here again, you expect them to do so.
For most firms things get increasingly weak beyond contract and legal obligation. As a third option organisations can call on their legitimate interests to process an individual’s personal data e.g. send emails about new products and services. However users do have the right to object to this type of processing, and ask for it to stop.
A final option for most organisations, in terms of legal basis, is consent. This means that the organisation could not rely on a contract, a legal obligation or any legitimate interest and is left to request consent from the user for the processing of the personal data. Consent has received a lot of attention as part of the cookie popup, but now you comprehend its legal basis, it is actually quite weak, and should be considered as a last resort, really. We have a dedicated section on consent further down in this document. For the sake of completeness, do note that vital interest, as a legal basis, does apply. For example to the medical profession, and the public interest, legal basis applies to public bodies.
For instance, creating such a GDPR register, listing all processing of personal data your organisation undertakes, might sound challenging, however this is where GDPRWise can help. For over 30 sectors we have created such a register that you can leverage. All you need to do is verify and refine where needed. Check out our GDPRWise how it works page.
3. Maintain your GDPR Register
There is great power in creating a simple list. You probably create lists all the time: your todo list, your shopping list, a list of prospects to contact, a list of invoices to settle etc. Creating a list forces you to reflect on the topic and consider which item makes it on the list and which item does not. Above all, having a list means that you now have a basic piece of documentation, which can be leveraged and extended subsequently. You can now even share the list with a colleague, so you can communicate the contents and collaborate to improve, where needed.
GDPR requires an organisation to maintain a Register of Processing Activities. When your national supervisory authority comes knocking on your door, the GDPR Register will most likely be the first document they ask for. Your GDPR register needs to list all personal data processing you undertake along with some core information elements:
- Description of the data processing
- Party responsible for the data processing
- Business purpose
- Legal basis
- Type of data items involved
- Data retention period
- Security arrangements made
- Parties the data is being shared with
- Where is the data being processed
Creating such a GDPR register, listing all processing of personal data your organisation undertakes, might sound challenging, however this where GDPRWise can help. For over 30 sectors, we have created such a register that you can leverage. All you need to do is verify and refine where needed. Check out our GDPRWise how it works page.
- Identity and contact details of the data controller and its representative
- Description of the data processing activities
- Description of the business purposes and associated legal basis
- Type of data items involved
- Data retention period
- The source of the data, if the data was not provided by the user
- Any parties the data is being shared with
- Any data transfers outside the EU
- Inform users of their GDPR data subject rights
- Inform users on how to lodge a complaint with the a supervisory authority
5. Capture your data sharing activities
Up to now, you might not really have given it much thought, but chances are your firm is already sharing quite a bit of personal data with a number of third parties. Surprised?
- Every organisation has an accountant. The invoices and bank statements you share with your accountant, contain personal data items on your customers, suppliers and staff
- If you have staff, the wage and benefit calculation is typically complex and often gets outsourced to an HR service provider. As a result you share personal data regarding your staff with that third party.
- When you use cloud or hosted software, to support the running of your organisation e.g. client relationship management software, sales platform (Booking.com, AirBnB etc.) accounting software, marketing platform (Mailchimp, Hubspot etc.), the software vendor might very well have access to some of the data in that software, in order to be able to support you.
- Delivery, shipping and transportation services like DHL, UPS, Uber etc. you share names and addresses with
- Social media platforms like Facebook, Instagram, Pinterest, Linkedin, Youtube etc.
As you can see, even if your organisation is not on social media, you are likely to be sharing some data with some third parties. GDPR does not forbid those interactions, however it does have the following requirements:
- Any transfer of personal data can only be used by the receiving third party for the documented purpose.
- If the legal basis for the sharing is your organisation’s legitimate interest then the user has the right to object and you will most likely need to stop and undo any sharing.
- Special category data (medical data, race & ethnicity etc. see GDPR Art. 9) can never be shared on the basis of legitimate interest.
- Therefore, any transfer of personal data, outside the EU, is subject to additional requirements. It would be advisable to make sure the receiving party resides in a country that the EU has deemed to have equivalent security practices and safeguards. If you want to transfer data to a non-equivalent country, please do seek legal advice.
6. Honour data subject rights
GDPR puts all of us in control of our personal data, which is one of the great benefits of the regulation. Whenever organisations process our personal data, GDPR gives us a set of rights we can call upon. Examples are: the right to be informed, the right to withdraw consent, the right to access your data, the right to be forgotten etc. You are no longer powerless, you can exercise those rights at any time.
For instance, not only do you need to inform your users, you also need to implement the appropriate processes within your organisation, to ensure you can swiftly act on requests from individuals. GDPR typically provides organisations with a month of response time. Ultimately, we advise you to set up a dedicated privacy mailbox, so no data subject request gets missed. If desired, you can also look at outsourcing these tasks to parties that offer Data Rep and DPO type services.
Consent is probably the least loved GDPR topic, given that almost every website forces you to wrestle past a cookie consent popup. This needs to be done before you can access the actual website. Before we elaborate on the cookie part, you already understand from the above that consent is one of the 6 legal basis that GDPR allows for any processing of personal data.
There are a number of requirements to the Consent capture. Consent should be…
- Given Freely
The individual should be offered a real choice, without being pressured, into proving consent by, for example, labouring any negative effects. As a result, an employer requesting consent from its employee for some processing, will rarely be considered to be freely given. For instance, a Quiz app requests your consent for tracking your location. Although location tracking is not essential to play the game, however the app does not function without your consent, then here, as well the consent is not considered freely given.
For each specific purpose, consent should be requested. In other words, when the processing has multiple purposes, consent should be given for all of them, separately. Therefore, for example, you can not request consent for a newsletter, feature and sharing of data with commercial partners at the same time. Users should be able to consent to, and withdraw consent, from any specific processing purpose.
The request must be clear, concise and in plain language, prior to the processing taking place. At the same time, you should inform your users that they can withdraw consent at all times, and how to go about this. All the consent related information should be clear and comprehensible and by no means buried in some other legal or contractual clauses.
- Based on a clear affirmative act
Silence, pre-ticked boxes, or inactivity, do not constitute consent. You can include an empty ticking box on your website. Importantly, do make sure, of course you also cover the other consent requirements.
The data controller, i.e. the main responsible party for the processing, should, at all times, be able to demonstrate that the user has given its consent to the processing operation.
- As easily revoked as given
When it just takes the clicking of a checkbox on a website to consent, then the revoking of the consent should be as easy as that. Classic examples; where retailers make it difficult to unsubscribe. For example, they insist you call a number to unsubscribe. This is not in compliance, and you can easily challenge, and even report, to your supervisory authority.
Importantly, do note that for the special category data (GDPR art. 9), such as medical data, any consent here should be explicit. Any explicit consent goes beyond the normal consent, and requires, for example, a signature or extra confirmation via email.
Aha, yes! And what about those dreaded cookie consents?
A cookie, (also called web cookie, Internet cookie, browser cookie), is a small piece of data sent from a website. sO This is stored on the user’s computer by the user’s web browser, when the user is visiting the website. GDPR did put the spotlight on cookies, as they were typically saving bits of personal data, upon visiting a website, without your knowledge. In reality, you could compare public internet websites with public areas in the real world. How would you feel if, in the real world someone started harvesting personal details about you without any notice, or being aware of it?
Cookies were designed for websites to remember information the user previously entered on the website e.g. names, addresses, credit-card numbers etc. They also remember if you are logging in, or recording settings and preferences you have on the site. Cookies that contain personal data should be encrypted to prevent hackers from reading the information within, or even to gain access (with the user’s credentials) to the website to which the cookie belongs. So, do confirm with your software vendor, and IT support teams, what type of cookies your website or internet software sets, and if content is encrypted.
Therefore, a special category of cookies are the tracking cookies which are commonly used as ways to compile long-term records of individuals’ browsing history. Given this practice very clearly consists of the collection of personal data it is in scope of GDPR. GDPR insists all personal data collection to be minimal and substantiated i.e to have legal basis.
Given its often questionable motives, with no real link to the service the customer is after, one is left with asking the user nicely if he or she wants to be subjected to it. In other words, asking consent in line with the above stated consent requirement.
8. Implement appropriate security measures
No privacy without good security. You can have the best privacy arrangements, however when your security is not up to scratch, it will inevitably lead to unauthorised disclosures.
Important to note is that security is not one thing, but a collection of approaches, practices and measures that are only as strong as their weakest link. We have created a knowledge base item Data Security – what to consider for your benefit. The associated knowledge base items also include practical tips, such as a list of questions you can put to your IT support partner.
When you are up to speed with the basics on data security, you and your IT support partner, are advised to leverage your GDPR register, and to work through the list of systems being used. As a minimum, you want to review the aspects below:
- Is the physical security appropriate?
Is the system in a physical location that is appropriately safe and secure? For any systems that are world-renowned cloud systems (e.g. Microsoft.com, Shopify.com), the answer is mostly Yes and evidenced by the security certifications they have obtained and published. For any systems your firm hosts, you want to make sure you have appropriate measures in place, to ensure that only specific people can access the premises, office, shop server room, filing cabinet etc. For the inevitable paper documents most firms still hold, we have created a dedicated knowledge base item, Data Security for paper documents.
- Is the system & software security appropriate?
Do check out our dedicated knowledge item, Security for systems and software – principles, to further explore this topic. There are a number of aspects you should review and measures you can apply. Some examples here: do all the systems have the latest security patches applied? Do all the systems have appropriate access control enforced? Where possible, do you have two-factor authentication enabled? Does the system enforce strong passwords? Can we remove or hide data items we do not use in line with the GDPR data minimisation principle?
- Is data security appropriate?
For example, for the SME there are two core aspects to check here: backups and data encryption. Confirm that systems are backed up and that those backups are in a safe place. At the same time, you want to test, from time to time, that a restore can successfully be executed. On the data encryption side, confirm that all personal data is encrypted both at rest and in transit. Do check out our dedicated knowledge base item, Data Security – what to consider? for more information.
- Are all measures regularly reviewed?
Your security defences need regular review and updates. This not only holds true for your equipment and infrastructure, but also for the humans operating and using those. We want to emphasise the importance of not overlooking the human factor as it has been proven, over and over again, to be the weakest link in a security and privacy defence. Moreover, you need to ensure that the right security & privacy habits are taught and applied in the day-to-day running of your business. There are lots of online learning platforms that offer Security Awareness Training and Data Privacy Training, at very affordable prices. It is important to ensure that all new joiners and all staff go through those training courses at least once a year. This is essential for running a secure and privacy compliant operation. It is recommended that you implement a code of conduct that includes security & privacy as well as other ethical business practices.
9. Implement breach monitoring & reporting
The GDPR regulation defines a personal data breach as a breach of security. This could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data be it when stored, transmitted or otherwise processed.
GDPR aims to ensure all firms take personal data seriously and look after it with great care. A data breach is a most serious event with potential serious repercussions both for the firm and any of the persons affected.
Therefore, you are required to keep a log of any, and all breaches, even the smallest incidents should be recorded. The log should describe the incident itself, the cause, repercussions, risk of future damage, affected data and measures taken to mitigate the risks to further damage. You can explore our template for such an incident log here.
It is vital that firms implement appropriate technical and organisational measures to avoid possible data breaches. At the same time firms will need to make sure their systems are monitored for data breaches. One can not report on potential personal data breaches if one has no way of detecting such a breach. Specialised software exists to detect system intrusion and you should confirm with your software vendors and IT teams that those are deployed for your processing.
Not all data breaches are caused by malicious third parties like hackers. There are plenty of examples of accidental loss or accidental unauthorised access:
- A member of staff losing a USB stick/drive that had personal data files on with the drive, nor the data files, being encrypted
- A member of the sales staff accidentally posts a revenue report containing names and financial details from customers on the public website rather than the intranet team site
- A member of staff attaches the wrong file to an email, resulting in accidental disclosure of personal data
- A member of staff accidentally deletes client records leading to loss of personal data
A corporate culture where data security & privacy are a core value, will not only help prevent such accidents, it will often also help minimise the impact. The human factor and ensuring all staff go through regular security & privacy awareness training is key to establishing the right security & privacy culture.
10. Privacy by design
The end goal for GDPR is really to ensure that privacy is foremost and central for you and all organisations across all its activities. As early as the stage of new ideas and plans, you should already have the privacy reflex to ensure you minimise the use, Limit the purpose, capture the legal basis, be considerate to user’s rights, be mindful when sharing, consider how to inform users and ensure appropriate security measures. It should come second nature to you, and your organisation, to have privacy by design or a privacy first approach. Privacy is a human right. Your users trust you treat their personal data with the care it deserves.
We have also created a number of training video’s which you might find useful. For example this video on the Essence of GDPR. The video is available in several languages.