GDPR requirements: How to be GDPR compliant
GDPR compliance is an operational task that some of the biggest companies in the world are struggling with. Even if your business distills GDPR compliance down to the basics, there are a lot of requirements that need to be put in place to make sure you are complying with the statute. Here are some of the basic elements:
- Obtaining consent
Your terms of consent must be clear. This means that you can’t stuff your terms and conditions with complex language designed to confuse your users. Consent must be easily given and freely withdrawn at any time.
- Timely notification of a breach
If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. Failure to report breaches within this timeframe will lead to fines.
- Right to data access
If your users request their existing data profile, you must be able to serve them with a fully detailed and free electronic copy of the data you’ve collected about them. This report must also include the various ways that your business is using their information.
- Right to be forgotten
Also known as the right to data deletion, once the original purpose or use of the customer data has been completed, your customers have the right to request that you totally erase their personal data.
- Data portability
This gives users rights to their own data. They must be able to obtain their data from you and reuse that same data in different environments outside of your company.
- Privacy by design
The GDPR requires companies to design their systems with the proper security protocols in place from the start. Failure to design your data collection systems in the right way will result in a fine.
- Potential data protection officers
In some cases, your company may need to appoint a data protection officer (DPO). Whether or not you need an officer depends upon the size of your company and at what level you currently process and collect data.
Failure to comply with GDPR can result in some pretty hefty fines. The fines can range from 2% to 4% of the offending organization’s annual revenue. The higher fines are assessed for cases in which data infringement occurs, procedures for handling data aren’t in place, an unauthorized transfer of data occurs, or requests for customer data access are ignored. The lesser fines apply to other types of data misuse, generally tied to failure to prepare or report: failing to report a data breach, failing to notify your customers about the recent breach, or failing to administer the correct data protection protocols. The extent of the fines your company may be assessed depends on the severity of the breach and the compliance actions you’ve taken as a result of the breach.
How GDPR impacts your businesses
GDPR will bring about a new level of transparency into data collection, storage and usage. If your company is traditionally secretive about its data, you’ll need to make a very dramatic turnaround to be able to comply with the rights listed above, as well as putting in place the ability to satisfy other requirements of the GDPR.
For most companies, GDPR will result in an increase in compliance spending. Data collection, consumer identification, prompt reporting and responses, and data portability and deletion all have to be built into your entity’s IT and operating systems. Additionally, some companies and organizations will have to hire a compliance officer to help monitor and manage any data collection campaigns that they implement.