Key GDPR Requirements Everyone Should Know
Despite having been around since May 23, 2018, many companies are still failing to comply with the EU’s General Data Protection Regulation. This is something that can largely be attributed to its complexity. In this article, we have compiled a brief list of key requirements companies need to keep in mind when working to fulfill the requirements set by the GDPR.
Privacy by Design
Privacy can no longer be a mere afterthought, introduced to fix issues that have already arisen, but must play a continuous role in every step of the design phase so that the final product, be it website or HR filing system, is privacy-friendly and compliant with the GDPR. One way of including privacy in design is via the minimization of data collection and processing. The less data is being collected, processed, and stored, the less a user’s privacy is invaded and the less risk there is of his privacy being breached. One example of data minimization is the way websites use IP-addresses. Instead of collecting and processing complete IP-addresses, some have started collecting and storing abbreviated addresses that serve the same purpose without infringing on the user’s privacy.
The requirements for consent have been raised. Passive acceptance of privacy and cookie policies such as pre-ticked boxes or opt-out systems are no longer sufficient. Instead, consent must be given via an active, affirmative action by the user. Moreover, when obtaining said consent, full and complete disclosure as to what is being consented to must be given. The requirements for consent if the user is a child are even stricter. A child can only give consent if they are 16 or older (individual EU countries are allowed to regulate the age down to 13). If the child is under 16, reasonable measures to ensure the parents are consenting need to be taken. Furthermore, if content is directed at children, all information (i.e. privacy and cookie policies) has to be written in such a way that a child could understand them.
The right to portability is simply the right to transfer one’s data, requiring that users are able to transfer their data from one digital environment (e.g. service provider) to the next.
Upon request by a user, the company either collecting the data or having a third party do so needs to be able to provide an explanation of what data is being used for what purposes and if possible, how long the data will be stored. If the company is using the data in order to profile, i.e. evaluate personal aspects of a user to analyze or predict their behavior such as the user’s performance at work or economic situation, it also needs to explain how the profiling system works and what consequences this might have for the user.
Requiring the possibility of erasure of personal data stems from the unprecedented right to be forgotten. The requirement regulates the deletion of personal information that has been exposed to the public. Individuals can request the deletion of their data by withdrawing their consent or by objecting to the processing of their personal data for direct marketing purposes. Furthermore, companies will have to delete data if (i) it is no longer necessary for the purpose it was originally collected, (ii) the personal data was obtained unlawfully, (iii) the data was processed to offer services to a child, or (iiii) there is another legal obligation the company needs to comply with. However, the right to erasure is not absolute. If there is a legitimate public interest or if there is an obligation under national law to store the data (e.g. for taxes or accounting), a company can – in some cases – refrain from deleting data despite an individual withdrawing their consent or objecting to the processing of their data.
If the data was passed on to third parties or has been made public (e.g. in an online environment) it is not enough for the company to simply delete the data it has. If it passed the data on to third parties, it must reach out to each recipient to notify them of their duty to erase the data unless this is impossible or would require disproportionate effort. If the data has been made public, reasonable steps need to be taken to inform other controllers who are processing the data to erase links and replications of the data. What is reasonable is determined by the technological tools available as well as by the cost of the implementation.
In the end, the key requirements can be summed up in a few short sentences. Privacy needs to be considered in the design process itself, which can take the form of minimizing the collection of personal data. The standard for consent is higher, especially for children. Lastly, it is imperative that the data collected needs to be transferable, the use of it transparent, and the data erasable. However, it is important to understand that full compliance with the GDPR is much more complex.
What to do now?
You might ask yourself: can I do this myself or do I need outside help? It is definitely possible to be GDPR compliant without outside help, especially for smaller companies. However, due to large fines and the complexity of the regulation, it is advisable to either study the GDPR more in-depth or hire a consultant.
Recommend Reading: What is GDPR? Understand the General Data Protection Regulation