Europe’s General Data Protection Regulation (GDPR) laws can affect how companies do business. If a company collects, stores and processes data from EU residents, it is required to be GDPR compliant with these privacy laws. Failure to do so could result in fines up to €20 million or four percent of the company’s global revenue, whichever is higher.
Whether a company is just starting to do business or expanding their presence in the European Union (EU), they need to consider GDPR compliance. Not only is it required for doing business in the EU, it’s always better to start as one means to go on. Putting a GDPR policy into place now ensures preparation for growth—no need to scramble to comply later.
GDPR compliance is easy with SixFifty. Read on to learn more about compliance requirements, then use our legal software tools to create your own privacy policy.
Who is Affected by the GDPR?
The GDPR was adopted by the EU on May 25, 2018. The regulation’s goal was to protect EU residents’ private data—that is, how the data is collected, stored and processed. Anyone doing business with EU customers, or collecting data from EU residents, is affected. These rules apply regardless of where a business is headquartered.
The GDPR regulates both data controllers and data processors. For example, if a website uses tracking cookies, EU visitors are protected by the GDPR. Cookies collect data about EU residents who visit the site, so privacy laws apply. Data collection and control isn’t limited to tracking cookies: if a company maintains customer databases, those databases must be GDPR-compliant.
Data processors are different. Once the data is collected, organizations may use it for certain purposes, such as email marketing lists or analyzing traffic. The entity who performs the processing tasks is considered the processor. They may be within the same company, or a third-party entity. Regardless, their process is regulated by the GDPR.
Because the GDPR’s standards are stricter than most American privacy regulations, businesses may need to rethink their entire organization’s privacy policies.
GDPR Compliance Requirements
There are seven key principles of GDPR, which guide the compliance requirements:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Each of these factors should be assessed and accounted for in a company’s GDPR privacy policy.
GDPR Compliance Checklist
Staying compliant with GDPR regulations is important. We’ve broken the requirements down into a simple compliance checklist:
- Know what data the company collects. First, companies need to know what kind of data they’re collecting and for what purpose. For example, they might collect full names, email addresses and birthdates for sales and marketing purposes. How is the data stored? How does the company purge data, and when? Do they have consent to collect the data?
- Appoint a data protection officer (DPO): Next, companies should appoint someone within the organization as the Data Protection Officer. The DPO will oversee the organization’s data collection and protection. It is their duty to ensure the organization is complying with all GDPR rules in all data collection processes.
- Create a data register: A data register maps the flow of data through the organization and shows how the organization is meeting compliance requirements. If there’s a breach, the data register serves as proof of compliance.
- Evaluate the data collection requirements: Companies need to know why they’re collecting data, and have a legitimate reason to do so. They should conduct a Privacy Impact Assessment (IPIA) and a Data Protection Impact Assessment (DPIA) to make sure they’re in compliance.
- Report data breaches immediately: Companies are required to report any data breaches to a supervisory authority within 72 hours.
- Be transparent about the company’s data collection: Companies should make sure that their customers and clients understand how their data is being collected and used.
- Implement age verification: Companies are required to verify the age of any user consenting to data processing. The age of consent in the EU is 16. If users are underage, their parents must consent for them.
- Implement double opt-in processes for email lists: Double opt-in processes ensure that your data collection is compliant, since the user has to consent twice.
- Periodically review and update the company’s privacy policy: It’s the company’s responsibility to review and update their privacy policy as needed. The company’s customers must be notified when the privacy policy changes.
- Re-assess the company’s risks: Finally, be sure to assess the company’s risks on a regular basis. If the company works with third-party vendors, they should ensure that the vendors follow GDPR collection and protection requirements.
SixFifty Solutions for GDPR Compliance
GDPR compliance is easy with SixFifty’s privacy toolset. Let our proprietary legal technology draft a complete GDPR privacy policy to protect your business.
If you’re ready to get started or have further questions, schedule a demo with SixFifty today.