When the General Data Protection Regulation (GDPR) was introduced 3 years ago, lots of companies, some with big names like Google and British Airlines, were found to be culpable under the purview of the new European Union (EU) law.
The necessity of GDPR is undeniable; it helps both individuals and organizations protect their data. But compliance with the GDPR, which spans 11 chapters containing 19 articles, can be difficult for tech businesses (both in the EU and outside it) to figure out on their own.
So, how do you know if you are GDPR compliant? This article will provide a basic answer to that question. Additional relevant information can be found using the links in this post.
Who Needs To Adhere To The GDPR?
In the event that you are found to be noncompliant with GDPR, claiming ignorance is not enough to get you out of trouble. Nor is compliance simply a matter of checking off some boxes.
Cultural and behavioral changes within your organization may also need to be put into effect in order to fully protect the rights of your customers.
If your company collects, processes, or disseminates data obtained from citizens of the EU, it must abide by GDPR rules—even if your company itself does not operate there.
So, don't wait to be penalized. In order to confirm compliance, do your due diligence; you must determine whether or not your company meets the following criteria.
Just in case you’re wondering: “what happens if I break GDPR law?”, follow the link to find out.
GDPR Compliance Guidelines
First and foremost, you must always ask for consent or permission when you are using or storing the data of your EU customers. Not only that, but your customers must also be informed of the reasons for collecting or storing their data. People want to know what you will be doing with their information.
You must also store electronic copies of their personal data, as any person who requests access to their private records on your server must be granted that access. Even if they don't request access, they need to be notified as to the storage location at the time of data collection.
Data security must be implemented at every step of the way in every product and process that your company is involved with, from the very beginning to the very end.
Suppose your company is involved in data processing and monitoring on a large scale. In that case, you must also ensure that your data controllers and data processors have selected a data protection officer (DPO).
Have you detected a data breach? Then, you must inform the authorities within 72 hours of the breach.
During this time, your data controller is also tasked with the responsibility of removing your customers' personal data from the company database. If you are sharing any information with a third party, it must be stopped immediately.
If your customers want to transfer their data from your controller to another of their choosing, you have to allow it.
You must audit the data you store in your company's database. Everyone involved must be aware of the identities of the customers whose data you're storing, as well as the source of the data—where did it come from? Did it come directly from the customer or from a third party?
If it's the latter, they must provide written agreements that they are permitted to own and/or share that information.
All client details available to you must be stored and listed in an organized and accessible manner. This includes names, bank details, IP addresses, phone numbers, etc. Discard any data that you don't directly need in order to operate.
If you're concerned about GDPR compliance, you're not alone. Many companies unknowingly skip some of the most essential steps in GDPR compliance and later receive a rude shock when they are faced with unhappy customers.
But the experts and professionals at Ketch are here to help. If you're unsure whether you've covered all the bases for GDPR compliance, contact us, and we'll help you figure it out. We are experts on GDPR, as well as privacy compliance tools.