The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world, yet few organizations are completely compliant with its statutes.
Complacency is dangerous territory. Non-compliant entities could be fined up to £18 million or 4% of annual global turnover (whichever is greater).
This post clearly outlines the standards set by the GDPR and provides a checklist to help organizations remain compliant.
What is the General Data Protection Regulation (GDPR)
The GDPR is a product of the European Union’s audacious data protection reform. The strict privacy standards were put into effect on May 25, 2018. This cybersecurity framework aims to protect the personal data of all people in the European Union.
The GDPR updates the 1950 European Convention on Human Rights to make it relevant for the digital age. Article 8 of the convention states that everyone has the right to respect private family life.
In the analog era that birthed the convention, the boundaries between public and private life were bold and easily identified. Today, they’re ambiguous and blurred. Without a clear and enforced standard like the GDPR, customers can never be confident that their private data, and therefore their private life, is being respected.
What is Considered Personal Data Under the EU GDPR?
According to Article 4 of the GDPR, personal data is defined as any information that relates to an identified or identifiable natural person. In other words, personal data is any data that is linked to the identity of a living person.
This doesn’t only include direct associations, such as financial information and addresses, but also indirect links such as evaluations relating to the behavior patterns of a person.
The definition of personal data is also format-agnostic, so it could include images, video, audio, numerals, and words.
Inaccurate information relating to data subjects is still considered personal data because this information is linked to an identity. If, however, the information is associated with a fictional entity, it’s not considered personal data. For example, if you refer to a fictional character residing in a fictional location, that is not considered personal data.
Who Does the GDPR Apply to?
The GDPR impacts any organization that offers goods and services to people in the EU, this includes entities that are not located in the EU. If you run a business online, you can never know for certain whether the people you transact with are located in the EU. For this reason, all online businesses should be GDPR compliant as a protective measure at the very least.
Personal data is funneled into two categories - to those that control the data and those that process the data.
The GDPR defines a controller as any individual, public authority, agency, or another body that determines the purpose and means of processing personal data. Controllers decide how personal data is processed.
For example, a music school uses a digital screen to notify parents in the waiting room when each teacher is ready. The screen displays the name of each child and the room number of their music lesson.
The music school is classified as the “controller” of personal data since it decides how the notification system should process all of the data.
The GDPR defines any individual, public authority, agency, or another body that processes personal data on behalf of a controller. Because processors are carrying out the data processing rules set by a controller, they’re not making decisions about how personal data is handled.
For example, a software company hires a marketer for an upcoming email campaign. The marketer is supplied with the names and email addresses of all leads so that personalized email can be sent to each one.
The software company is classified as the controller of personal data since it determines how the data should be handled. The marketer is classified as the “processor” since they’re carrying out the software company’s data processing instructions.
Even though processes are just following controller instructions, they are still expected to be GDPR compliant alongside processes because they’re handling personal data.
10 Step Checklist to be GDPR Compliant
The following checklist will help businesses assess their current GDPR compliance status and also reform poor data handling practices to become more compliant.
1. Know all of the data you are collecting
If you don’t know how personal data flows through your internal systems, you don’t know how it is controlled. Here’s a simple 7 category framework for mapping all data sources with an example of an ebook download process:
- Ebook download form
- Full name.
- Email address.
- Business name
Reason for data collection
- Creating sales leads
How is collected data processed?
- Stored in the Mailchimp database.
- Accessed by internal email marketers.
When is the data disposed of?
- All unsubscribed leads are manually deleted from Mailchimp every 30 days.
Do you have consent to collect this data?
- Yes, the ebook download form included a message saying that all entries are added to the email list.
Does the collected data include sensitive information?
- Yes, full names and associated email addresses.
This filtration protocol should be applied to all internal data until you can confidently map the lifecycle of all data feeds.
Because the GDPR is focused on sensitive data protection it’s important to identify all instances of it and to classify each record by level of sensitivity.
The higher the sensitivity of data, the easier it is to identify and compromise an individual. Personally Identifiable Information (PII) is considered very sensitive and should be defended with the highest level of cybersecurity.
Are IP addresses classified as personal data?
IP addresses are classified as personal data if they can be linked to the identity of a person. For example, if a user’s IP address is collected alongside their email address, that would be considered personal data because the identity of the person is linked to their email address.
All personal data of people in the EU is strictly subject to GDPR compliance. If you're not sure if the IP addresses you collect are classified as personal data, refer to the supervisory authority in your EU state.
2. Appoint a Data Protection Officer (DPO)
Article 37 of the GDPR states that both controllers and processes need to appoint a Data Protection Officer (DPO) to oversee the data protection strategy. Note that even processes are expected to have a data protection strategy even though they’re just following data handling instructions set by processors.
According to the GDPR, an organization must appoint a DPO if any of the following conditions are met:
- If data is processed by a public authority
- If collected data undergoes systematic monitoring
- If collected data is processed at a large scale
Unfortunately, the GDPR doesn’t define how large “large scale” is. Because of this ambiguity, many organizations are opting to appoint DPOs just to be safe.
Organizations should appoint DPOs where their data processing operations are centralized, even if it’s located outside the EU. If an organization is located in the EU, a DPO should be stationed in the member state of the company’s headquarters.
Ideally, the DPO should speak the same languages as the GDPR regulators in that state. This will help organizations understand, and therefore comply with, the GDPR nuances of that state.
Article 39 of the GDPR says that a DPO should be capable of completing the following duties:
- Confidently advising both controllers and processes of best GDPR compliance practices
- Monitoring data handling to ensure GDPR compliance
- Provide accurate advice about data protection impact assessments
- Act as the primary point of contact for all data processing inquiries
- Act as the primary point of contact between the company and GDPR regulators
- Have a clear understanding of all the potential risks associated with different processing operations
To effectively carry out these responsibilities, a DPO should possess expert knowledge of GDPR laws and best practices.
3. Create a GDPR diary
A GDPR diary, or a Data Register, is a comprehensive record of how an organization is practicing GDPR compliance. This would need to be created after identifying all of your data sources (point 1 in this list).
A GDPR diary should map the flow of data through your organization, the more details that can be included the better. In the event of an audit, the GDPR diary will serve as proof of compliance.
If your organization suffers a data breach in the process of instituting a compliance framework, the GDPR diary can be used as proof of progress towards improved data security.
A third-party attack surface monitoring solution helps organizations identify and remediate all data breach vulnerabilities in their vendor network.
The early implementation of such a solution demonstrates an organization's dedication to protect customer data.
4. Evaluate your data collection requirements
To be GDPR compliant, you should only be collecting data that you absolutely need. Accumulating sensitive data without a compelling reason will signal alarm bells for the supervisory authority monitoring your compliance.
All data requirements should be scrutinized through a Privacy Impact Assessment IPIA) and a Data Protection Impact Assessment (DPIA). These impact assessments are mandatory when the data collected is highly sensitive.
The classification of “sensitivity” is at times subjective. To avoid confusion, here are some instances that would require the completion of a DPIA.
- When your organization is utilizing new technology
- If you’re tracking the location of individuals
- If you’re tracking the behaviour of individuals
- If your data is associated with children
- If you’re using data for automated decisions that could have legal consequences
- If you’re monitoring publicly accessible areas
- If you’re processing personal data such as:
- Religious views
- Ethnic origins and identities
- Political opinions
- Genetic data
- Biometric data
- Philosophical beliefs
- Health records
- Sexual orientations
Data Protection Impact Assessment (DPIA) template
The Information Commissioner's Office for the UK has created a DPIA template that can be used as a guide for data protection assessments.
This template provides a deeper context into the activities that require a DPIA to help you decide whether your particular processing activity requires an assessment.
5. Instantly report data breaches
Immediate data breach notification is a mandatory GDPR requirement. According to article 33 of the GDPR, both controllers and processors need to report data breaches within 72 hours.
The hierarchical reporting structure is as follows:
Processors need to report data breaches to controllers, and controllers need to report to a supervisory authority.
A supervisory authority, also known as a Data Protection Association or DPA, is responsible for monitoring and enforcing GDPR compliance. They are also the primary contact for all GDPR inquiries for an organization.
Supervisor authorities are usually located in the EU state an organization is based. The GDPR empowers DPAs to impose non-compliance fines on both controllers and processors.
6. Be transparent about data collection motives
Your customers need to be aware of all the data you’re collecting about them. Clandestine data collection will only lead to a hefty non-compliance fine.
Data collection acknowledgment needs to be clearly displayed at every data collection point - before any data is collected.
Here are some common website locations that display data collection notifications:
Website forms should clearly state how all collected data will be used. Avoid complex phrasing or the use of jargon, your messaging should be clear and concise.
Pre-ticked consent boxes are not permitted. Individuals need to always be aware that they’re consenting to data collection.
Cookie collection notices
The GDPR classifies cookies that identify users as personal data collectors, as a result, they need to be regulated. Organizations can still use cookie data provided that they meet the following GDPR requirements:
- Organizations must clearly specify how cookie data will be used.
- All user consents must be documented and stored.
- Website access should not be impeded if cookie use consent is not provided.
- Users should have the ability to seamlessly withdraw cookie use consent..
Here’s an example of a cookie notice that specifies how cookie data will be used. This notice allows users to be in complete control of the specific cookie data they are willing to relinquish.
7. Verify the age of all users consenting to data processing
The GDPR only permits personal data processing for persons at least 16 years of age. To lawfully collect personal data from individuals younger than that, consent must be given by the holder of parental responsibility for the child.
If there's a chance that EU citizens under the age of 16 will be engaging with your website, you must incorporate an age verification process to verify the age of users before collecting any data.
If personal data processing of underaged users is required, a separate parental consent process is required.
8. Include a double opt-in for all new email list sign-ups
To confidently acknowledge that all of your subscribers have consented to sign up to your email list, you should include a double opt-in process for all new sign-ups.
When double opt-in is enabled, a person is not added to an email list until they confirm their consent twice. The first consent happens when the signup form is completed, and the second consent occurs when a user clicks the confirmation link in the email that’s automatically sent to them after filling out the form.
The GDPR does not explicitly state that a double opt-in process is mandatory but it is highly recommended. By implementing a double opt-in for all new email sign-ups, you’re further verifying that users are consenting to relinquish their data, which demonstrates your dedication to the data protection standards set by the GDPR.
10. Regularly assess all third-party risks
The GDPR expects organizations to be continuously aware of all security risks and to have remediation efforts in place for each of them.
To effectively meet these requirements, organizations should implement a security scoring and risk assessment solution - ideally GDPR specific risk assessments.
VendorRisk by UpGuard represents the security risk of each vendor with a security score. This empowers organizations to instantly identify and remediate all of the security vulnerabilities of each vendor.
VendorRisk also includes a comprehensive library of risk assessments, including a GDPR standard security questionnaire, to ensure all third-parties remain compliant.
The key to a secure ecosystem is to consistently monitor for vulnerabilities and immediately remediate them. If your organization doesn’t have the necessary expertise or resources for such a dedicated effort, world-class CyberResearch analysts can manage the complete scope of your vendor security on your behalf.
UpGuard Helps Businesses Remain GDPR Compliant
UpGuard helps businesses maintain GDPR compliance by identifying and addressing specific security vulnerabilities impacting the regulation.
UpGuard also empowers businesses to track third-party compliance against popular regulations by mapping risk assessment responses to security controls. This identifies any compliance gaps placing third-party at a heightened risk of regulatory fines and data breaches.