Following best practices for GDPR compliance is vital for all businesses, organizations, and individuals covered by the EU privacy law. Compliance places a significant burden on covered entities, and if best practices for GDPR compliance are not followed, complying with this important privacy law will result in a great deal of wasted time and effort, which could be put to much better use, such as on activities that increase revenue and profit.
Compliance with the EU General Data Protection Regulation (GDPR) has been mandatory since May 25, 2018 and it has never been more important. Data Protection Authorities across EU member states have now got to grips with the privacy regulation and are enforcing compliance with much greater vigor and financial penalties are being imposed far more frequently.
Complying with the GDPR is not only about avoiding GDPR penalties, although that is very important. Companies that are fully compliant with the GDPR are viewed as more trustworthy, and if the privacy of customers is respected and companies can be trusted with consumers’ personal data, that should help to attract new business.
What is the Purpose of the GDPR?
Before delving into some of the most important best practices for GDPR compliance, it is worthwhile giving a recap on the importance of the GDPR and its aims. A simple but often disregarded initial step is taking the time to understand what the purpose of the GDPR is. Compliance does become easier if the purpose of the legislation is understood and its benefits are appreciated.
One to the main reasons GDPR was introduced was to allow individuals based in the EU to have more say in how their personal information is collected and used. Personal data are valuable to companies, and a great deal of money can be made from collecting, analyzing, sharing, and selling personal data. Individuals should have a say in how their personal data are collected and used, and companies should not be able to profit hugely from collecting and using personal data without consent. Companies should also not be allowed to continue to use personal data after you stop using the services of the company.
The GDPR addressed this by giving EU citizens important rights over their personal data. The GDPR allows individuals to ask for a copy of their data help by a company, and shortened the deadline for complying with requests to 40 days. Individuals can request changes to their data to correct errors, and have been given the “right to be forgotten” – to have their personal information erased – unless certain circumstances require the information to be retained.
The GDPR created standards to ensure a universal approach to how data are collected, stored, and shared across all EU nations, although the governments of member states still have some control over certain aspects and the sanctions that can be imposed. It has also fostered greater cooperation between the Data Protection Authorities in each member state. Overall, the aims of the GDPR have been largely achieved.
Key Best Practices for GDPR Compliance
Make Sure You Understand the GDPR Articles and terms
In order to comply with all aspects of the GDPR it is essential that you understand the concepts and articles of the GDPR. You need to understand all of the key terms such as data subject, data controller, data processor, personal data, and sensitive personal data, and what each of those terms covers. You must make sure you have a thorough understanding of the requirements for data collection, data processing, user consent, the measures you need to implement to protect personal data, and what constitutes lawful processing of data and the data retention requirements.
Conduct an audit of personal data
You cannot implement safeguards to protect the personal data of data subjects if you are not aware where all personal data are stored, and the only way to discover that is to perform an comprehensive, organization-wide audit. The audit will allow you to identify the information you are storing, where that information is stored, if any copies are stored elsewhere (email accounts for example), and how personal data are collected, transmitted, and processed. You also need to include data access in the audit – Who has access to data, why do they need access, and who is responsible for maintaining, updating, and deleting personal data. Without this knowledge, compliance will be difficult and time consuming, and you are almost certain to leave some data unprotected.
Develop and implement a data retention policy and automate as far as possible
Personal data can only be held for the length of time it takes to complete the actions for which consent to process was granted, after which personal data must be deleted. You must determine how long personal data can be retained before it must be erased, and you must ensure that all copies of data are erased, unless there is a lawful reason for retaining the data. You should put efficient processes in place to manage data deletion and automation is key.
When individuals exercise their rights to obtain a copy of their personal data or their right to be forgotten, without automation it can be difficult to comply with those requests in the required time frame. You should put systems in place for collecting personal data to honor the access requests and be able to process data deletion requests with a few clicks of a mouse.
Conduct audits of service providers
Data controllers must review all service agreements with third-party companies that process personal data, and ensure that data processors know their responsibilities under the GDPR and are provided with clear instruction. The data controller must determine whether there is a lawful basis for processing personal data and communicate the permitted processing to any data processor they use. Under the GDPR, data controllers are responsible for their own compliance, and the compliance of data processors. Data processors must only act on instructions from the data controller, must obtain approval before using a subcontractor, and contracts must state that data be returned or deleted at the end of the contract. This must be clearly communicated. Data controllers must also ensure that adequate data security mechanisms are in place at data processors and staff have been appropriately trained.
Verify reporting processes are adequate
It is important to track all actions and activities associated with personal data and for an audit trail to be maintained, as Data Protection Authorities will require access to these data during compliance audits and breach investigations. Accurate documentation must be maintained covering internal processes, procedures, and management controls. It is a somewhat “guilty until proven innocent” situation where even without outward signs of violations, Data Protection Authorities may still require proof that all is above board or they may impose GDPR fines. All of this information should be stored in a central place where it can be easily accessed and provided to DPAs in a reasonable timeframe when requested.
Conduct regular risk assessments
Risk assessments are necessary to discover potential weaknesses in cybersecurity and data management processes. Data Protection Impact Assessments are a legal obligation under GDPR for some companies and allow them to discover the risks they face, and the possible harm that can be caused should a breach occur. All entities must take steps to minimize the risks to their IT systems and personal data to a low and acceptable level. If risk cannot be accurately ascertained, seek advice from your Data Protection Authority.
Ensure employees are provided with regular training
While it is important that management and higher level staff members know how the GDPR will impact activities, this knowledge must be relayed to every member of the company. Every employee must play their part in GDPR compliance, and must be given the necessary training to conduct their work duties in a manner compliant with the GDPR. Refresher GDPR training sessions should be conducted regularly to reinforce best practices for GDPR compliance.
Ensure you have formalized breach reporting policies and procedures
Even if you do everything possible to prevent a data breach or GDPR violation, there is still a chance that a violation or data breach will still occur. You must have policies and procedures in place that can be implemented immediately, and staff members must be aware of their responsibilities. You only have 72 hours from the discovery of a data breach or violation to report it to your DPA.