Is your international company looking to meet General Data Protection Regulation (GDPR) compliance? Are you located outside of the European Union (EU) and trying to enforce GDPR best practices in your organization? No matter your reason for seeking GDPR compliance, our reliable 7-step checklist can help you achieve it. Data privacy is more important than ever, and every company that collects personal client data should be working hard to protect it.
What is the GDPR?
The General Data Protection Regulation (GDPR) is known as the toughest data privacy law in the world. It provides personal data protection to individuals in the EU (also known as data subjects) by requiring specific cybersecurity measures of any international organizations who may collect or target their Personally Identifiable Information (PII). The GDPR was made enforceable in 2018 throughout the European Union, and its best practices in data privacy are also used across the world in countries without similar legislation in place.
1. Establish a Comprehensive Record of the Flow of Data Throughout Your Company
The best option for a first step in GDPR compliance is conducting a comprehensive audit of the types of personal data you process, and who in your company has access to it. You could also call this processing activity the “flow of data” and it is important to recognize all the “stops” on its route. According to GDPR compliance laws, organizations greater than 250 employees (or those that process higher-risk data) must keep this flow of data in an up-to-date list at all times in order to present it to legislative regulators upon request. Of course, smaller organizations should also have this information at the ready because it will make other GDPR laws easier to follow.
A typical detailed list should include:
• the purpose of your company’s data processing • what kind of sensitive information you are processing from data subjects • who in your organization has access it to it • any potential third parties that have access to customer PII • the steps you are taking to protect this personal data • when or if you plan to erase customer PII.
2. Evaluate Data Collection Requirements
Once you’ve established the flow of data collected by your company, it’s time to evaluate your data collection requirements. Data protection must be considered any time you are collecting or processing a customer’s (or potential customer’s) personally identifiable information. According to GDPR law, processing personal data is actually illegal unless you can justify or demonstrate your need according to one of their six conditions, as well as other conditions that are related specifically to children or higher-risk data, such as health or genetic details. These six primary conditions include:
• consent from the data subject for their PII to be used for a specific purpose • processing is necessary to enter a contract or for contract performance • processing is necessary for legal obligations • processing is necessary to protect vital personal interests • processing is necessary for a task performed on behalf of public interest • processing is necessary for legitimate interests by the company or third party, falling within the fundamental rights and freedoms of each data subject, especially when they are a child
As for the collection of data itself, GDPR compliance requires following the principles of “data protection by design and by default,” which means that your company is aware of the purpose of data collection and protecting that data at all times. Data collection must always be processed lawfully and transparently, for a specific purpose, and only the minimum amount of information that is necessary may be collected. PII must also be encrypted wherever possible to help ensure data protection.
3. Create a Clear Protocol to Immediately Report Data Breaches
Unfortunately, whether on purpose or by accident, data leaks and breaches happen. But when your company has crafted a clear protocol in advance of a personal data breach (which is required for GDPR compliance), the process of communicating and reporting the breach will be much more efficient. According to the GDPR, if sensitive personal data from customers is exposed in a data breach, EU companies are required to notify their jurisdiction’s supervisory authority within 72 hours. For organizations outside of the EU, it recommended to notify the Office of the Data Protection Commissioner and/or local authorities. Your data subjects must also be informed of the breach, unless it is unlikely to put them at risk, which may be the case with encrypted data.
4. Appoint a Data Protection Officer for your Organization
Speaking of encrypted data, the next step to GDPR compliance is to appoint a company-wide Data Protection Officer, who can implement data protection best practices and evaluate the flow of data within the organization. GDPR law requires companies to have a Data Protection Officer if they operate within public authority, if data subject monitoring is done on a large scale, or the processing falls into one of the GDPR’s “special” data categories.
However, even if your company does not fall under these requirements, it is still highly recommended to appoint a DPO. This person should be an expert on data protection and processes, can be ultimately accountable for evaluating organizational personal data processing, as well as implementing proper protocols with your employees. Even when your technical processes are strong and secure, the human element of data collection can make breaches more likely. A DPO can create and enforce security policies that include practices like password best practices, two-factor authentication, device encryption, and VPNs.
5. Automatically Delete Data That Your Business No Longer Needs
Now that you’ve collected personally identifiable information from your data subjects, what do you do with it? Customers always have the right to see what personal data you have collected from them — and how you're using it. In addition to storing sensitive data securely, one of the other requirements of GDPR compliance states that companies must automatically delete data that your business no longer needs. Customers should also be able to easily stop their personal data from being processed, or have that data totally deleted upon request. This is also known as “the right to be forgotten” and the customer’s information should be deleted within about a month of contact.
6. Regularly Keep Private Policy Updated
If you are a data controller, you are required to write and maintain a privacy policy that is available for all data subjects to view. A data controller could include a private company, legal entity, incorporated association, public authority, or even an individual person, such as any self-employed professional. The Framework Program of the European Union, which helps provide detailed information about GDPR compliance, has provided a helpful template and and best practices to write a privacy policy for your business.
A privacy policy is a clear and concise public document that is easily accessible, and uses transparent and plain language to explain to customers, website visitors, etc. that you are collecting your data (and why), how it is processed, and the measures your company is taking to keep it safe. It is especially important that your privacy policy is easy-to-read if your company is addressing children. Your policy should be regularly updated in order to keep your data subjects well-informed and to stay up-to-date with data privacy trends.
7. Create Awareness of GDPR Guidelines Through Employee Education
The final item on our checklist is an effective GDPR compliance training programs for your employees. GDPR trainings are designed to provide a comprehensive understanding of the new EU legislation and its implications for organizations, as well as employees. EasyLlama’s GDPR course educates learners on this legislation’s comprehensive requirements, company regulations, and employee duties for the protection of personal data.
EasyLlama courses fit seamlessly into your existing workflow by making it easy to integrate with your favorite HRIS and LMS. Plus, our engaging Hollywood-produced videos and interactive quizzes improve knowledge retention and positively influence behavior when it comes to data protection and beyond. Ready to get your company in compliance with GDPR best practices? Sign up for your free course preview today to learn more about the EasyLlama features and integrations that can make your workplace training process more effective.
