GDPR is a legal act which regulates personal data protection and basically grants people a set of rights. This allows them to limit, cease or modify processing of their personal data by data controllers and data processors. What does it mean though and how to be GDPR compliant?
GDPR states that any and all data which allows to identify, either directly or non-directly, a natural person, is personal data. Some of such data might be name and surname, e-mail address, a phone number, IP address. Nowadays, a lot is considered as personal data – even so called “metadata” or some of the “cookies”. Thus, you need to carefully analyze what information that you collect falls under the definition.
Do I “process” personal data?
Processing data is, pretty much, everything you can do with it: managing, storing, collecting, modifying and deleting. But are you a data controller or data processor? Data controllers decide what is the data collected and used for and with what means. They have main interest in processing data. However, sometimes they ask other entities to do some processing activities for them. For example you may use a hosting provider to store your databases or an external IT support to manage servers. Such external companies that perform certain tasks with an access to or responsibility toward personal data are data processors.
When should I worry about GDPR compliance?
Basically, GDPR is usually applicable if the processing is done for business purposes at least partly by any automated means (for example data will be stored on a computer) and:
1. data controller is based within the EU; OR
2. processing concerns data subjects who are in the EU in the context of offering them goods or services (even for free) or monitoring their behavior (if the behavior takes place in the EU.
So if you are a data controller or a data processor and GDPR is applicable based on the above, you must take necessary steps.
How to become GDPR compliant?
Seems like you need to be GDPR compliant even if you are not from the EU? The first step is to ensure that you have a legal basis to process data. Most of data controllers other than public authorities base their actions on a consent of a person whose data is being processed (data subject), performance of a contract with a data subject and/or their legitimate interest. Whenever a data processor is involved, a data processing agreement (DPA) must be signed. GDPR specifies what must be included in a DPA.
When correct legal basis for processing is identified, you need to check if you provide the data subject with information on the scope of the processing and some other details regarding yourself. This is one of the key obligations you may have because GDPR is all about transparency – the idea is to make sure that people understand who and how processes their personal data and what are their rights.
The above might have sounded a little overwhelming, however, to be honest, this is just the beginning. GDPR sets a number of rules on how much data you can collect and what can you do with it. Moreover, there are public authorities in each country of the EU that can enforce GDPR. They can not only require you to stop processing activities that are not GDPR compliant, but also to show proper documentation or to pay huge fines.
What also is the fact, GDPR can be used as an opportunity to way to improve the quality of data you are processing and security levels within your company. You can call it a pain, or an opportunity, but in any case, make sure you are compliant 😉