What is GDPR Compliance?

The General Data Protection Regulation (GDPR) is a recent European Union privacy protection law that went into effect on May 25th, 2018. It is considered by some as the most important regulatory change in data privacy for the last two decades, to which it replaced the Data Protection Directive of 1980 which was outdated. Both of the laws hold the same principles: protect personal data and the fundamental human right of privacy for all citizens of the EU.

The updated principles of GDPR have been endorsed by both US and the EU as it relates to processing, using or exchanging data. This includes the following principles and guidelines:

Purpose Limitation

Collecting and processing personal data should be done so for the specified purpose only. This relates closely to the first principle of lawfulness, fairness, and transparency.

Purpose Limitation Summary

  • A specified reason is needed for personal data collection. Furthermore, this collection must be communicated with the legitimate reasons for the data collection.
  • Once collected, that personal data can only be used for reasons specified in the terms of service
  • Exceptions can be made if further processing fits the following criteria:
    • Scientific or Historical Research
    • Statistical Reasons
    • Archiving / Public Interest

Approaching the Purpose Limitation Principle

  • Evaluate the current purposes/individuals with access to the data and how they are using it
  • After the evaluation, flag any data collection processes with purposes that do not comply with GDPR
  • Develop a plan to adapt or remove any current data collection processes that do not comply with GDPR

It’s important to understand where the data is located, who has access to the data and whether or not it should be investigated for GDPR violations. By asking the right questions to the teams using the data, you should gain an understanding of the purpose and specific reasoning behind their data collection request. When dealing with technical challenges such as GDPR, there is an opportunity to adapt and meet compliance goals.

Preparation

  • Restrict users from accessing data they don’t need
  • Notate and Document all valid purposes for data collection to be shared with relevant teams ,and included in supporting GDPR documentation

Integrity & Confidence

  • Personal data must be secure
  • Apply security protocols such as encryption, and masking of data to eliminate sensitive elements

Creating an inventory of your personal data collection policies can save time and effort when GDPR compliance questions arise. The first step is to define exactly what type of data is considered personal data before you can begin the investigation. It is also important to know exactly where the organization is storing the data, whether or not it is backed up, how often, who has access, etc.

All organizations need to document and disclose the purposes for processing personal data. This is typically communicated through the Privacy Policy page of the organization or through their Terms of Service when signing up for a new account. All corporations must provide this documentation to individuals and it must clearly state the types of intended use for any personal data being collected.

Storage Limitation

  • Time Limit: The right to be forgotten beyond the initial purpose of the data is the core principle of the GDPR. This means defining how long data can be collected before it is removed or encrypted. The only exceptions are scientific or historical research, statistical purposes, or public interest.
  • Quarterly Policy Reviews: The Privacy Officer should be aware of what data is being collected, for what purpose, and for how long. If during the review process the Officer cannot reasonably justify the collection of data, it should be put into review and removed until concerns are resolved.
  • Encryption & Pseudonymization: If storage is to exceed the limitation set out by the data standardization principle then data should be safeguarded using encryption, anonymization or pseudonymization.

Data retention policies can provide a brief overview of data subject’s rights under GDPR including the technical organizational data protection measures a company has in use. Even when data is taken offline there must be clear processes for access in order to comply with requests for the data subject rights. Data masking is suggested as a method of securing any long term retention processes, with Anonymization being the most aggressive technique. This renders the data impossible to read in its original state. The storage limitation principle is designed to minimize data collection while maintaining the most amount of security to protect the privacy of those whom the data was collected from.

If there are users visiting a website from the EU, they are protected by the GDPR. That means that all websites must consider the implications of the analytics data collection they participate in if they want to meet compliance.

Lawfulness, Fairness, and Transparency

The lawfulness principle ensures that personal data processing activities are communicated to data subjects in an open and honest manner. Building an eCommerce website that is designed without user accessibility or GDPR compliance in mind can be an expensive mistake. This includes AODA policies if you live in Ontario. Outside of Ontario, the website should always consider auditory, vision, mobility, cognitive and neurological impairments to meet accessibility guidelines within your eCommerce web design scope. The lawful processing of user data requires an appropriate basis for processing. These can include

  • Consent of the Data Subject
  • A Contract
  • Legal Obligation to Controller
  • Legitimate Interests of Controller or a Third Party
  • Task Carried Out in Public Interest / Exercise of Public Authority

The fairness principle is designed ensure that GDPR compliance includes appropriate and fair processing. Data subjects must consent and be informed of the processing of personal data in an intelligible manner that is not misleading. The communication on the website should always consider auditory, vision, mobility, cognitive and neurological impairments to meet accessibility guidelines. The processing of personal data cannot be concealed or communicated selectively for the purpose of manipulating the data subject into consent.

The transparency principle is designed to ensure that the processing of personal data is communicated clearly and intelligibly. The information concerning the processing of personal data must be easily accessible and presented in clear and simple language. If the controller is processing the personal data of children this is especially important. Data subjects must be informed of:

  • what rights they have
  • how their personal data will be processed
  • what purposes that data is being collected and processed for
  • what personal data related to them is being collected

Data Quality & Accuracy

Building an eCommerce website that is designed without user accessibility or GDPR compliance in mind can be an expensive mistake. This includes AODA policies if you live in Ontario. Outside of Ontario, the website should always consider auditory, vision, mobility, cognitive and neurological impairments to meet accessibility guidelines within your eCommerce web design scope. The lawful processing of user data requires an appropriate basis for processing. These can include

  • Consent of the Data Subject
  • A Contract
  • Legal Obligation to Controller
  • Legitimate Interests of Controller or a Third Party
  • Task Carried Out in Public Interest / Exercise of Public Authority

Accountability

In order to establish a standard of Internet Privacy, personal data must be processed responsibly and demonstrate compliance with EU and member state data protection laws. The policies of GDPR are essentially applied globally to any website that captures and stores information obtained by EU site visitors. Big brands and corporations have accountability to meet GDPR standards whether they are hosted in the United States, Mexico, Australia or Hawaii. Anywhere that an EU visitor can reach, the GDPR applies regardless of the location of the company that operates the website.

Looking for something a bit more comprehensive? Contact our team for affordable help.