GDPR Checklist: 5 Requirements you Must Act on for Compliance, With Examples

Learn which of GDPR’s requirement demand urgent action, how you should act on them to avoid common fines, and how to continue your compliance process.

So, what is GDPR? The General Data Protection Regulation is the new privacy law that came into effect in the European Union on May 25th 2018.

It’s not like privacy protection isn’t a new thing in Europe. in fact, its expressly established in article 8 of the Charter of Fundamental Rights of the European Union. However, the purpose of this law is to upgrade the old legislation from 1995 to be more up to date with the ever changing technology landscape.

In This Article

Two Reasons Why GDPR Has Been Making Such a Fuzz.
Has GDPR Affected Companies Since its Release?
5 Key Requirements That Demand Action.

Two Reasons why GDPR has Been Making Such a Fuzz on the Internet:

First of all, on a territorial scope, GDPR regulates the treatment done by a natural person or company established in the European Union. But it is also mandatory for those companies located outside of it.

The European Parliament adopted the legislation in 2016
The European Parliament adopted the legislation in 2016

That means that any company that monitors behavior on the European Union or that offer goods or services to data subjects located in the Union must comply to it. As such, it doesn’t matter where you are located. If you are planning on having European users or costumers, you must take it into consideration.

Secondly… fines. GDPR establishes the creation of independent public supervisory authorities in all member states that are in charge of enforcing the GDPR. According to the gravity of the infraction, they can impose fines that can go to up to 2% or even 4% of the total worldwide annual turnover of the preceding financial year.

As you can imagine, this was done to ensure that there’s no company that is just “too big to comply”. Big company? Big fine.

Has it affected companies since release?

Yes it has. While for the first months most national supervisory authorities decided on a more educational approach by guiding those who wanted to comply, several big fines have already been imposed. In Portugal, a hospital was fined $400.000 euro for giving doctors unrestricted access to other patient’s medical records.

In Germany, a social website got a $20.000 euro fine after a hack leaked over 1.8 million users mails, IDs, and passwords. More recently, in France, Google got a $50 million euros fine for failing to provide users with transparent and understandable information on its data use policies.

5 Key Requirements That Demand Action

While there’s lot to do to get a proper and thorough compliance, there are some steps you can take to cover the crucial aspects of the legislation. Let’s go over 5 key requirements that demand immediate action!

  1. Make a Personal Data Map.
  2. Be Transparent With Your Users.
  3. Ensure you Get Appropriate Consent.
  4. Develop With Your User’s Data Rights in Mind.
  5. Upgrade and Document Your Security.

1. Make a Personal Data Map.

The first step to compliance is to be aware of all the personal data that you are collecting. This includes cookies, mails, accounts and pretty much everything else you can think of. If you have information that allows you to identify a person, that’s personal data and needs to be accounted for.

Sample data flow diagram by LucidChart

2. Be Transparent With Your Users.

You must have full disclosure with your users regarding all of the personal data that you are storing. You must also properly identify and disclose the reason why you are collecting it. Plus, if it’s actually necessary to be collected.  The most common hypothesis for data collection are:

If at any time you want to process data for purposes others than those it was originally collected, you should ask for additional consent.

What’s more, you should take into account if there’s any link with the original purposes of the collection and the context in which that personal data was collected.

For instance, you may not need additional consent if you are processing additional data to check for bugs. Specially if the software is sending anonymized crash reports.

Example: Keep your Terms and Conditions and Privacy Policy ALWAYS up to date. Furthermore, you should also be completely thorough with all the processing that goes on without the scenes. Switched to a new CRM? Yup, that also goes into your Privacy Policy.

GDPR requires you to be able to demonstrate that the person has consented to the processing of his personal data. If the consent has been given in a written declaration, it should be presented in a manner which is clearly distinguishable.

A great example of granular consent by Woolworth's Australia

If you want to use someone’s email for a marketing mailing list, you need to expressly disclose this before collecting it. This disclaimer must also use an easily accessible form with clear and plain language. If there’re any infringement, the consent won’t be binding and you’ll be subject to a fine.

Additionally, the user has the right to withdraw his consent at any time. GDPR innovates in this area by demanding that the withdrawal of consent should be just as easy as the process of providing it.

One final consideration is that you should assess whether the consent is actually being freely given or if it’s done under a certain kind of duress by making it conditional to the delivery of a service, when it’s not really necessary for it to function.

Example: Forget about having your user’s just click “agree” o a registration form.  You must be honest from the get-go about what you are doing with all the information you are collecting. All email subscriptions should disclose if the email sent is of commercial information, and provide the user a way to say no to that. This will be especially true when you are sending their data to other third parties.

4. Develop With Your User’s Data Rights in Mind.

One of GDPR’s key points are the rights it establishes for users. These rights give them more control and visibility on the data they are sharing. Accordingly, a company cannot refuse any request that relates to the exercise of these rights, unless it can prove it’s not possible to identify the data subject. We’ll go over the common ones.

Users have the right to information and access regarding their personal data. You should provide your users with information about the identity of the company that is treating their personal data, the purpose of such treatment and the third parties to which that information is being sent to and for what purpose.

Then there’s the right to erasure or right to be forgotten. The data subject can ask the controller to ask for the deletion of all his personal data when:

A tricky one is the right to data portability. A user has the right to receive all the personal data that it has provided to a company in a structured, commonly used way that allows him to transmit that data without issues.

Example: Have your developers merge all your different tracking into one easily exportable database. That way you can easily answer data user request and be sure that you’ve properly erased all of your user personal data. At Prey, we developed a React GDPR on Rails tool for these purposes.

5. Upgrade and Document Your Security (Explained)

Although it’s not its main purpose, GDPR has certain rules regarding data security. Taking into account the state of the art, the costs of implementation, and the nature of the processing, you’ll have to implement technical solutions to ensure the confidentiality and integrity of the personal data you are storing.

If the data breach does entail a high risk, then the controller shall also communicate the personal data breach to the data subject without undue delay. How can you assess this risk? Well, each case is a particular story, but we do recommend you to stay on the safe side.

Example: At Prey, we have documented our GDPR process for everyone to follow our updates, with detailed explanations on how we take action towards compliance.

Takeaways

Is it hard to comply with GDPR? Not at all. However, a lot of questions can come up in the process. Fortunately, if you had the user’s privacy in mind before, you’re probably in the right track already!

If you’re still doubtful, you should take a look at how GDPR affects IT management. Spoiler alert: It does, and it does so for the best. Truth is that understanding the core management needs will ensure you stay in line with upcoming regulations.

Nicolas Poggi

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.