GDPR Compliance and Preparation Guide for Companies Working with EU
If you are looking for the information to prepare your company for GDPR compliance, we are right here to provide you with an example. As we are working with clients around the globe, some of them are from European Union countries. That is why we want to share general information about the law, its statements, principles, etc.
GDPR compliance means that you understand the law principles and prepare all documentation basis which complies with all GDPR statements. You should make your EU customers aware of how you collect and process their data.
What Is GDPR?
GDPR is a regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. It stands for the protection of people’s personal data within European Union. According to this regulation, the data processing is carried out by a controller (company) or processor (company’s workers or representatives) not established in the Union and processing EU residents personal data. They do so if they offer goods or services to their EU clients even if the company located outside the European Union. The law extends the scope to all foreign companies processing data of EU citizens and residents.
Before it was a Data Protection Directive (95/46/EC) of 1995, and now this is a regulation that means it will be spread out to all EUMS, when it will come into force on May 25th, 2018. The regulation doesn’t need the implementation of the national law of the EU Member States.
The law consists of enacting clause with 173 points and 99 Articles. It is based on three main ideas: personal data protection, protection of rights and freedom of people in their data protection, and restriction for the displacement of personal data within EU.
It is important to define how your company should act under the GDPR law, and what should be taken into account to become GDPR compliant. The regulation is applied not only to the EU residents but for non-EU residents, who are processing personal data of natural persons due to selling and offering goods or services and monitoring of actions/ behavior of the data subjects in European Union.
From other the main factors related to websites and other sources that are published online, we can take into account the following:
- one of the languages from the EU is used at the website;
- the site accept payments in euro;
- clients from EU are mentioned on the website.
If your company deal with one or more points that are described above, then you should follow the new law and protect your customer’s data according to it.
To complete the preparation of your GDPR compliance you need to define or assign the roles from Article 5. GDPR includes two key definitions of controller and processor.
A controller means that an individual (natural or legal person), agency, public authority or other body defines the goal and purpose of personal data processing.
A processor is also an individual (natural or legal person), agency, public authority or another body that works strictly with a controller’s request, maintaining records of personal data and processing activities.
If you process a significant amount of data, your company has more than 250 employees, and you are processing the data of more than 5000 data subjects, GDPR obliges you to assign Data Protection Officer who will be responsible for GDPR compliance.
From your company side, you should understand which roles you take in means of data processing
As an example, we suggest you check H&M Privacy notice as they described in details who take the roles of controller and processor, mentioning DPO for their company. If you have such a company, you can pay attention to the description of all fields where a company operates and how it interacts with customers and process their information.
GDPR Personal Data Definition
One more important note is about personal data categories. There are personal data and sensitive personal data that could be processed.
Personal data is any information about a person that will identify him directly or indirectly or by reference to an identifier. It could be a name, an identification number, location data and other factors that will identify the person.
Sensitive personal data is a special category of personal data that is described in Article 9. It includes biometric, generic data, political or religious views, and philosophical beliefs, or other specific information to identify individual uniquely. Some additional information about personal data you can check in Article 10.
As well as to assign the roles and define types of data to control its collection and processing according to new rules, you should follow the principles to do it.
Principles of Data Storage and Processing
Personal data should be processed according to the following principles:
- Processing. It should be carried out lawfully, fairly and transparently relating to the person.
- Limitation. Data should be collected for specific, precise, and legitimate purposes and not be processed incompatibly with goals above.
- Minimization. You should have explicit purposes for processing personal data.
- Accuracy. Data should be processed where needed, and it should be clear that all incorrect data must be removed or changed without delay.
- Storage limitation. Data should be kept in a way that is required to identify a data subjects for no longer than it is necessary to collect those data.
- Integrity and Confidentiality. Data processing should ensure the proper defense of the personal data against unauthorized or unlawful processing and accidental loss, destruction or damage using technical and organizational measures.
Those principles are described in details in Chapter 2 (Articles 5-11). Also, you should pay your attention to entities who are involved in processing, carrying and usage of the personal data.
GDPR stands for regulation of natural person’s data protection to simplify understanding and management of that information for people to control how companies use their details.
The Lawful Base for Data Processing
Firstly, you must act on a lawful basis for data processing, and you should define yours one from six existed. Each of them is equal to each other, and most of them require to substantiate the necessity of information processing. By having the lawful basis, you correspond to the first principle of transparency, lawfulness, and appropriate data processing.
To identify your lawful basis for processing the data check the Article 6. There are six GDPR Lawfuls Bases available. You should choose your one by defining the purposes for the data processing.
Consent means that an individual gives their permission (consent) for you to process their data for a specific goal.
Contract means that agreement is necessary because you’ve been asked to take specific steps before signing the contract.
Legal Obligation means that the processing is needed for you to comply with the law.
Vital Interests mean that by processing the data, you will protect someone’s life.
Public Task means that you need to perform a task for your official functions in the public interest and this task has a clear basis in law.
Legitimate Interests means that data processing is needed for your or third-party legitimate interests to protect the individual’s data which could override those legitimate interests. (but please take into account that this couldn’t be applied if you are a public authority processing data to perform your official duties and tasks).
However, if your goals change, you may go on and process the information under your previously chosen lawful basis if your new purpose is compatible with the initial one.
You can use a helpful ICO Lawful basis interactive guidance tool to come up with the lawful basis for your company. If you are processing special category of data (sensitive personal data, criminal conviction data), you need to identify lawful basis and additional condition of handling the specific type of data.
GDPR Key Points
As we mentioned before it is important to understand which information is protected by the law. Let’s look at GDPR key points that will help you to prepare your official documents, website, and the channels of communication with customers.
Before you describe to your customers how you collect their information and document all the actions that you take with the information processing, you should understand the natural persons’ rights according to the law.
These are eight rights that individuals have:
- the right to be informed,
- the right of access,
- the right to rectification,
- the right to erasure,
- the right to restrict processing,
- the right to data portability,
- the right to object,
- rights about automated decision making and profiling.
You can familiarize yourself with all these rights in detail by reading the Chapter 3 (Articles 12-23) of GDPR law.
Right to Be Informed
Right of Access
The second right is right for individuals to access the information you have about them. That means that a person could ask you to provide the information, i.e., to make a subject access request. In the law, there is no strict rule about how a person is supposed to ask the information. Therefore, your employees or representatives that deal with the information gathering and processing should define when the request of information happens and provide a person with the data.
You can collect information electronically, and you should provide information in standard electronic format. The information you will send as a response to the request when you deal with an individual about the personal data should be understandable and accessible, using clear and plain language.
Right to Rectification
Article 16 describes the right to rectification. In this case, if you receive the request that you have incomplete data, you should be able to complete it and solve the argument provided by the data subject.
Right to Erasure
The next one is the right to get the personal information deleted from the database (right to erasure individual personal data). You can solve the request no later than one month, and it will apply only in certain circumstances.
The information should be erased if it is no longer necessary for the purposes you’ve collected it or if you are relying on consent as your lawful basis to hold the data, but user withdraws their consent. Also, you need to erase data if it is not processed lawfully, and if you want to use data for some purposes, but it is not compliant with a legal obligation, or you have processed the personal data to offer some information society services to a child.
Right to Restrict Processing
Individuals have the right to restrict processing of their data. It has close links to the right to rectification (Article 16) and the right to object (Article 21). You have to solve the request in one calendar month. People control the accuracy of their personal data and if the data has been unlawfully processed or you no longer need it than you might be dealing with a request to restrict processing it.
Right to Data Portability
The next right is data portability, and it allows individuals to obtain and reuse their personal data for their own purposes. Usually, it happens across different services. It will enable them to copy, transfer or move their personal data in a secure way. It helps to interact with applications and services that can use this data to understand user habits.
The right only applies to information provided by an individual to a controller. However, not just personal, but pseudonymous data can be linked back to an individual within the scope of the right. The data should be structured, commonly used, and machine-readable.
The Right to Object
Article 21 gives individuals the right to object to the processing of their data. This allows individuals to ask you to stop processing their personal data. The request should be solved within one calendar month.
It is about the direct marketing, specific public task, why you process the information and legitimate interests. If you use personal information for the research, you also can notify individuals of this action. It is about the direct marketing, specific public task, why you process the information and legitimate interests. If you use personal information for the research, you also can notify individuals of this action.
Rights in Relation to Automated Decision Making and Profiling
Article 22 has additional rights to protect individuals if you are carrying out automated decision-making including profiling that has legal or similarly significant effects on them.
For something that is solely automated there must be no human involvement in the decision-making process, and you can use the information if you have the individual’s explicit consent or it is necessary for reasons of substantial public interest.
If you receive the information from other sources, you must provide your users with privacy information within an appropriate period of obtaining the data and no later than one month. You don’t need to give the data when the individual already has it, or it would be disproportionate forces to give it to them.
It could be a layered approach as Google made. It includes general information and additional layers of the detailed information. We also used this approach to present all of our policies on the main page. You can check our Data Protection Policy by following the link.
The second approach is a dashboard. Mostly, these are management tools that inform people of how you use their data and allow them to operate what happens with it.
Just-in-time notices – there could be some parts of focused privacy information delivered at the time you gather individual pieces of data about people.
Icons – meaning symbols that define the existence of a specific type of processing the data.
At your online store or website, you can place notification messages, such as pop-ups, voice alerts, and mobile device gestures. It is related to mobile and smart device functionality and how you can access people through them.
Let’s move further to the Cookie requirements question. Not all people know that cookie is a small file that is downloaded from the user computer when he visits a website. Cookies are used for user identification, storage of the personal preferences, settings, and analytics. Websites with limited access require cookies, so you can use the site by accepting them. They could be dangerous in the way of deanonymization and tracking user actions.
As well as just understanding of the right to be informed your goals of collecting and processing the data could differ from the actions you perform with these data. If you sell, buy, obtain personal data from publicly accessible sources or, for example, you apply AI to personal data; you need to tell people the specific information according to what you are doing with their data.
Consider all the sides of the law and your clients’ interaction and use a blended approach to deliver the information to individuals in a transparent way.
Children’s Data Protection
If you deal with processing information of children who is under 16 or less, it should be particular protection for them. According to the Data Protection Bill, only children aged 13 or over can provide their consent.
Privacy by Design
Data Processing for Marketing Purposes
An important part for all businesses is the restriction of data processing for marketing purposes. Article 21 says that individuals have a right to refuse to process their data for direct marketing and profiling. However, processing could have a place, that is mentioned in Recital 47 of the GDPR when it preserves the justified interests of the person.
Email marketing is allowed only if a person gives you permission to the data processing. However, there are some exceptions regarding this type of marketing. You can send emails to your existing customers or have a reasonable interest in sale or negotiations for a sale of product/services through email marketing to your potential clients.
In general, you need to provide an opt-in box, to give a choice to receive or refuse to receive messages or emails. As well as that you should ask for consent to pass details to third parties and write when and how people should agree or disagree with receiving your emails or other materials by emails, phone or another way to perform your marketing goals.
Controllers and processors each have their documentation obligations. If you have 250 or more employees, you must document all your processing activities. If you have less than 250 employees, you need to record information that is not occasional or could cause a risk to the rights and freedom of individuals.
- The name and contact details of your organization and of other controllers, representatives, and data protection officer, where applicable.
- The purposes of processing the information.
- Description of types of personal data and categories of individuals.
- The categories of recipients of personal data.
- Your Lawful basis.
- Description of your technical and organizational security measures.
- Retention Schedules.
- Transfer details to third countries if you have them, including documenting the transfer path safeguards in place.
Fines for Violation
If data breach happened, by the law you should report to the special authority about this issue within 72 hours from the moment it arrived.
Article 83 covered conditions for administrative fines. You should remember that by a violation of the law from your representatives (controller, processor) side you will pay up to € 10 million, or, in the case of a company, up to 2% of the global turnover of the previous fiscal year.
In case of violation of the controller or processor according to the law obligations for these parties you can lose up to € 20 million and 4% from the global turnover of the previous fiscal year. This will help you to build your work transparently and lawfully.
How WEB4PRO Prepared to GDPR
First of all, we went to the official source with GDPR law. It has 99 Articles and covers all the questions regarding personal data protection and how companies should proceed the information from users.
If you find the official document as a quite complex and you won’t have enough time to go deep into it, we suggest you one more professional source that covers up GDPR aspects. The Information Commissioner’s Office is the UK’s independent authority that posts relevant information about the information rights in the public interest. There you also will find checklists and preparation guide to GDPR.
We defined our lawful basis as Contract and described how we collect data and what do we use to communicate with our clients. We only collect name; email; Skype ID; and as it is a contact form we have a question/request field as optional.
These are the features we implemented on our website to comply with GDPR:
All the notes in checkboxes should be put by a user manually. Please note, that you can’t set the configuration of the checkbox by default.
The same we added to our Subscribe form. If you have more ways where you collect personal data, you should add a checkbox with a link to your policies to it.
As we mentioned before it is important to make several vital steps:
- understand which information is protected by the law;
- assign the roles to control the process of processing;
- define the purpose of personal data processing;
- choose a lawful basis of corresponding the law;
- respect individual rights regarding their personal data;
- implement data security measures in your company;
- assign the roles for personal data processing;
- include the information about the purpose for personal data processing and lawful basis to contracts and official documents;
- add some data protection features to your company website;
- inform your clients, customers, and subscribers about the changes in your Data Protection Policies.
You should never:
- Sell Personal Data to third-party companies;
- Offer services to children under the age of 16;
- Send marketing newsletter to people who didn’t subscribe to it;
- Violate Individuals Rights described in GDPR.
As you can see the new GDPR law has covered all the main points regarding individual’s personal data protection. We tried to describe the main aspects of each company to perform the right documentation and follow all principles of collecting and processing the information safely and transparently. We hope that our company completely meets GDPR requirements and this guide will be helpful for you as well. Please remember that GDPR law comes into force on May 25th, 2018, so make sure that you’ve covered all the points highlighted above.
Also, there are great additional sources for you to check:
- ICO Guide to the General Data Protection Regulation (GDPR)
- General Data Protection Regulation GDPR (official law in electronic format)
- GDPR Overview