The first thing you need to assess is whether GDPR applies to you.
GDPR usually applies to organizations, companies, individuals, corporations, public authorities, and other entities that:
are based in the EU;
offer goods or services (even for free) to people in the EU;
monitor the behavior of people in the EU, either directly or as a third party.
So GDPR can apply outside European borders, too: it’s called extraterritorial scope.
Do you process personal data?
The second step to compliance is to determine whether you actually process personal data.
Most likely, you do because the GDPR defines personal data as any data related to an identified or identifiable living person. This includes information that can lead to identifying a person or even data that has been pseudonymized or encrypted, if the encryption/anonymization is reversible.
If you do process personal data, here’s what you need to do
You need a valid legal basis for the processing: your activity is unlawful without it. The GDPR has six legal bases; you can check them here.*
*Is consent your legal basis?
If so, then there are a few extra steps to take to be GDPR-compliant.
Make sure the consent you obtain from users is verifiable.
Consent must always be “explicit and freely given.” This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms). Moreover, you must also give your users the possibility to withdraw their consent.
Keep clear records of consent. You should be able to demonstrate: when consent was provided, by whom, which preferences were expressed, which legal or privacy notice they were presented with at the time, and which form they were presented with at the time.
Do you keep the data safe?
Now, it’s your responsibility to keep the data you’ve collected safely from any loss, theft, or cyberattacks.
The GDPR states that you must implement “appropriate technical and organizational measures” to secure the data collected. For example, you should encrypt, pseudonymize and anonymize the data whenever possible.
Another key point is to train your staff. A team that is unaware of basic data protection measures could inadvertently share confidential information or give access to the data to the wrong person.
Carry out a Data Protection Impact Assessment (DPIA): a DPIA is a process used to help organizations comply effectively with the GDPR and minimize data protection risks. A DPIA isn’t always mandatory, but it’s safe to carry out one when you don’t know how risky your processing activity could be for users.
Have a process in place for data breaches. A data breach could happen anytime. Therefore, you must have a process in place to notify the Supervisory Authority and the affected users.
Who is responsible for GDPR compliance within your organization?
Someone within your organization should be responsible for GDPR compliance.
If you are based in the EU, you may need to appoint a Data Protection Officer (DPO). A DPO is a person with knowledge of data protection law, whose role includes monitoring internal compliance with GDPR and overseeing data protection strategy and implementation. However, appointing a DPO isn’t always mandatory: you can check the specific cases here.
If you are based outside the EU, you must appoint an EU representative, a person who can handle Data Protection Authorities’ requests on your behalf. Moreover, you may also need to appoint a DPO, as explained above.
Can you fulfil your users’ requests?
Under the GDPR, users have specific rights, and you must be able to fulfil any request deriving from them. More specifically, it should be easy for your users to: