Are you worried about your company’s EU General Data Protection (GDPR) compliance? Well, worry no more because we have prepared an easy-to-follow GDPR summary of all the requirements relevant to your business.
Here, we will discuss mostly the GDPR data privacy part, which focuses on ensuring that consumers can make their own decisions regarding data processing.
This summary will help you avoid hefty fines imposed for violating consumer rights. These fines can be as high as €20 million or in some cases 4% of the company’s worldwide annual revenue. Both options sound quite unappealing, right?
Following the GDPR requirements will ensure that you are building a trustworthy relationship with your customers or clients. And the more trustworthy you are, the longer your relationship will last.
Therefore, keep your revenue and customer satisfaction rate high by taking care of your GDPR compliance.
Let’s check those strict rules together! But first, let us introduce you to the GDPR basics.
A. The History: What Is GDPR?
The European Parliament created GDPR in April 2016 and replaced the Data Protection Directive from 1995. You can see that even three decades ago the EU officials have recognized the need to protect the consumer’s personal data. They had an idea of creating uniform data protection and data privacy law that would be applicable to all the member states.
Due to many data breaches at the beginning of the IoT era and later along with the mishandling of personal data, the demand for stronger regulations only kept increasing. In May 2018, the EU Commission imposed the final GDPR requirements that remain in effect today.
Many companies have seen that data privacy protection is needed, too. To avoid the financial and customer base damages they started developing and implementing new cybersecurity and data privacy policies and technology that will keep everyone’s data safe. And all companies that aim to become industry leaders should go that way.
According to the RSA Data Privacy & Security Report, 55% of European and US consumers claim that they wouldn’t hand over their data to a company that has been misusing or selling data without consent. Moreover, 54% of them reported they would avoid purchasing services or products from a company that has been known for data mishandling.
Consumer doubts regarding data mishandling should be your top concern. We believe that you want to preserve the customer base you worked hard to build.
Today’s consumers want complete transparency of their data usage in order to start trusting a company. In that way, you can share the responsibility for any data problem that might arise.
GDPR requirements are there to protect the EU residents’ data privacy rights and educate on data usage. In some way, they are good for everyone as they protect the consumers but your business, too. So, to what kind of information does the GDPR apply to?
The personal details that fall under the GDPR requirements include:
- Web data: location, IP address, cookie data, and RFID tags
- Identity information: name, address and ID numbers
- Political stances
- Racial and ethnic data
- Health and genetic data
- Biometric data
- Sexual orientation
B. Who Is Subject To The GDPR Requirements?
If you have a company that has EU citizens as clients or customers then you should take GDPR compliance seriously. GDPR requirements apply to any private body that processes personal data within the European Union.
It doesn’t matter if you didn’t register your business in some EU country, the only thing that matters is who your customers are. Even if you are taking the data out of its territory, the EU wants you to comply with its data privacy law.
The specific criteria for companies that should establish GDPR compliance are:
- A business headquartered in an EU country.
- No presence in the EU, but collects personal data from EU residents.
- Has more than 250 employees.
- A company with fewer than 250 employees whose data-processing has an impact on the rights and freedoms of the EU data subjects.
- The data processing is not occasional or it relates to certain types of sensitive personal data.
That certainly means almost all the companies that operate globally. And many companies are good compliance examples. The PwC survey showed that 54% of them consider GDPR requirements as a top data privacy and protection priority. Are you one of them?
C. The 16 Key GDPR Requirements For Your Company
1. Make data collection transparent
The first rule is to use forms and tech tools that will enable complete data collection transparency for your customers. From the beginning until the end of cooperation both sides should be included in the data processing.
In other words, you shouldn’t take the law in your own hands. What you should do is to eliminate any personal data secrets and build strong relationships with your buyers. They will certainly last longer!
2. Data processing should be lawful and fair
The data processing on your side should also respect the principles of lawfulness and fairness. The processing is lawful if its foundation is a legitimate and explicit purpose, such as scientific research or numerous statistical analyses, including those for marketing needs. Any further processing that is incompatible with these purposes is considered unlawful.
The same applies to storing the data. If there is no longer a legitimate purpose for data collection, the data should be kept in a form that makes the identification of the data subjects impossible. Only company archiving is acceptable in this case.
On the other hand, fairness implies that a company will take full responsibility for the data processing and will stick only to the legitimate purpose within its company and not some other purposes that it finds beneficial later.
3. Keep your customers informed
One of the most important GDPR requirements is that you need to inform your customer when you start collecting their private data. To do it successfully, you are expected to use concise forms and plain language that every single person can understand, regardless of their background.
This might sound familiar and basic to you, but it is important to mention. However, GDPR made this clause more specific by adding one more must-inform requirement, the next one.
4. Notify on data non-collection
GDPR requires you to inform your customers even if you are not collecting data directly from them. You can send a similar message to that used for explicit collection, just make sure that the consumer has received the necessary explanation.
In case you are not collecting their data, you still need to inform them about it! It seems like informing them on everything regarding the processing of their data should be on the top of your task board.
5. Ask for consent
This is a place where you can get in trouble. When informing on data collection, you are required to ask the data subject for their GDPR consent. If they give you a green light, then you are free to proceed with collection and processing. However, make sure that you have clearly and concisely communicated what and why their data is being collected.
The second crucial thing is to make it extremely easy for the consumer to understand this. It should take no more than a 1-minute reading and a 1-second click. And it should be as easy to withdraw the consent as it was to give it.
6. How to process special categories of personal data
In occasions where it is necessary to process special categories of data such as political opinions, ethnic or racial origin, sexual orientation, and genetic data that can help identify a particular person, specific regulations apply.
This GDPR requirement obliges you to:
- Always ask for consent to collect a consumers data and explain the purpose for processing
- Prove if you are using it to protect the public interest, such as in the public health area where you can face numerous cross-border threats
- Use it only for archiving purposes tied to the public interest, such as historic and statistical research
By following these guidelines, you can avoid potential problems.
7. Allow access to collected data
The latest GDPR requirements give consumers the right to access all data you have collected about them. When they submit a subject access request, you have a month to provide a complete copy of any personal data you have collected on the customer.
The copy needs to include information on the source of personal data, reasons for data collection, and the time frame during which the data will be stored.
However, GDPR protects you as well! There are always those people whose requests are repetitive, excessive, and manifestly unfounded. In those cases, you are not obliged to produce this information.
8. Enable rectification of data
Some data you hold on your customers may be inaccurate or incomplete, therefore there should be an option to rectify it. That is why the European Commission added a consumer right to rectify the provided information. It is a win-win solution as it is good for companies and for their customers, too.
As with the right to access the data, the same exceptions apply here. And again, you have a month to execute this kind of request.
9. Approve erasure requests
There is another name for this right, which is “ The right to be forgotten.” As its name says, a consumer can ask organizations to completely delete their data in certain circumstances.
Those circumstances are:
- The collected data is no longer relevant to the original purpose
- In the cases when data was unlawfully or not transparently processed
- When the information no longer meets the lawful bases for which it was collected
These instances allow a consumer to withdraw their consent. The thing you should do first is to never give them a reason to submit this kind of request. Although, if a situation like this occurs, just process it in the right way.
There is more good news for you! In cases when you need their data to use your right to freedom of expression, you can skip solving these kinds of tasks.
10. Check restriction requests
From our standpoint, this GDPR requirement seems like a good compromise between companies and consumers. Now your customers can request a limitation of the data usage, which is a fair alternative to requesting the erasure of all their data. Something is better than nothing, right?
The claim for restriction can have a valid foundation such as the collected data appears inaccurate. But be careful, it can happen in a moment when you need it to support a legal claim, too.
11. GDPR right to data portability
While GDPR forbids you to share the individual data, it allows consumers to share it with other companies. When they decide to switch to another company or simply to share the data in one more place, you are expected to provide them with a document that includes all the data you have collected on them.
The format of the document should be easy to download as well as to send it to third parties. Unfortunately, sometimes you will deal with these types of requests. However, always try to give them a reason to stay!
12. Automated decision making
There is a GDPR requirement for decisions made without human involvement, too. This relates to calculated assumptions about a certain person such as the case with profiling. Automated decision making is a very strict provision.
You can collect such data only if it is allowed with a specific contract between you and the individual. The next case when automated data calculations are allowed is when you have consent for it.
Here, also, consumers have certain rights. If they only believe that these provisions aren’t being followed, they can challenge and request to review the potential unlawful processing of their data.
13. Consumer right to object
Your customers are encouraged to object to the data processing at any time they find it suitable. Even though the data may be collected on the grounds that support legitimate interests or they are necessary for the exercise of official authority, customers will still be able to object to it.
After consumers submit such a request, you will have a bit of time to prove them wrong. The other thing left, is to demonstrate to the authorities that in order to finalize the defense of a legal claim, it is necessary to use the specific personal data. Sometimes there is no other way to win a legal battle.
14. Usage of additional personal information
If there is no longer a need to identify your customer, meaning the purpose of the data collection has changed, you will no longer be required to collect the additional information just to comply with the GDPR requirements.
When you both reach this level of cooperation, you are expected to inform your customer that their identification is no longer a priority. However, they can always decide to let you collect that additional info if they want to.
15. Anonymization vs. pseudonymization
At first glance, these two might seem identical. They both deal with the de-identified data, however, by using different techniques. And while one of them falls under the GDPR requirements and can cost you money, the other is safe to use. Here we unveil that tricky question regarding GDPR and encrypted data.
The key distinction lies in the possibility of the data to be re-identified. During the process of anonymization, the data is rendered in a way that it remains unidentifiable forever. On the other hand, with pseudonymization, by using additional information the data can be recovered. Due to the potential recovery of the data, if you use data pseudonymization, you will need to be sure you are in compliance of other GDPR requirements.
16. Hiring a Data Protection Officer
The EU’s data privacy law has also a few words regarding a person who will be responsible for the company's GDPR compliance. That person has a role named Data Protection Officer (DPO). They can be the company’s employee or an outsourced professional.
The only things required are that they need to possess the highest level of expertise in data protection and privacy and that they are not in a conflict of interest due to their loyalty to the company.
It can be someone from your IT or HR department or even a Senior Manager. However, make sure that they fulfil the above mentioned criteria.
It is irrelevant how many employees you have, if you process individual sensitive data you are obliged to comply with this GDPR requirement. However, this rule is a bit more loose compared to the other ones.
Member states have more power to decide whether they want to make it more strict like Germany did, or more voluntary like France. If there is no legal obligation, companies are invited to establish the DPO supervisor to help with the compliance. Anyhow, in this case you have more choices.
D. How Helpy Can Help You?
Helpy is a new generation private cloud customer support platform that takes consumer privacy rights and data security seriously. Helpy includes tools for managing GDPR, CCPA and other customer removal requests, either by deletion or permanently anonymizing data.
Helpy includes all of the tools you normally use to support customers- ticketing, knowledge base and live chat, and gives you complete control over 3rd party data sharing, retention and backup and the physical location storing the data.
To get a free demo, please contact us.