GDPR compliance can be difficult to achieve when you don’t know where to start. But don’t worry, we’ve got you covered. Keep on reading and discover how to be GDPR-compliant, step by step.
There are a few steps that will help you determine how to be GDPR compliant. Answering these questions below will help you determine whether GDPR applies to you and what you should do to comply.
Let’s start!
Step 1: Does GDPR apply to you?
The first thing you need to assess is whether GDPR applies to you.
GDPR usually applies to organizations, companies, individuals, corporations, public authorities, and other entities that:
are based in the EU;
offer goods or services (even for free) to people in the EU;
monitor the behavior of people in the EU, either directly or as a third party.
So GDPR can apply outside European borders, too: it’s called extraterritorial scope.
🇪🇺
More on GDPR
This article is a part of our series on GDPR and GDPR compliance. Read also:
The second step to compliance is to determine whether you actually process personal data.
Most likely, you do because the GDPR defines personal data as any data related to an identified or identifiable living person. This includes information that can lead to identifying a person or even data that has been pseudonymized or encrypted, if the encryption/anonymization is reversible.
📌 If you do process personal data, here’s what you need to do
You need a valid legal basis for the processing: your activity is unlawful without it. The GDPR has six legal bases; you can check them here.*
You should inform your users that you are collecting their data. To do so, you need a privacy policy. It’s a legal document that contains all information about your data processing activity: what data you’re collecting, how you’re using it, who has access to it, how you’re keeping it safe. Please note that your privacy policy should be written in a simple language and accessible throughout your website or app. Check our website privacy policy sample to have a better idea.
Step 3: *Is consent your legal basis?
If so, then there are a few extra steps to take to be GDPR-compliant.
Make sure the consent you obtain from users is verifiable.
Consent must always be “explicit and freely given.” This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms). Moreover, you must also give your users the possibility to withdraw their consent.
Keep clear records of consent. You should be able to demonstrate: when consent was provided, by whom, which preferences were expressed, which legal or privacy notice they were presented with at the time, and which form they were presented with at the time.
Step 4: Do you keep the data safe?
Now, it’s your responsibility to keep the data you’ve collected safely from any loss, theft, or cyberattacks.
The GDPR states that you must implement “appropriate technical and organizational measures” to secure the data collected. For example, you should encrypt, pseudonymize and anonymize the data whenever possible.
Another key point is to train your staff. A team that is unaware of basic data protection measures could inadvertently share confidential information or give access to the data to the wrong person.
Carry out a Data Protection Impact Assessment (DPIA): a DPIA is a process used to help organizations comply effectively with the GDPR and minimize data protection risks. A DPIA isn’t always mandatory, but it’s safe to carry out one when you don’t know how risky your processing activity could be for users.
Have a process in place for data breaches. A data breach could happen anytime. Therefore, you must have a process in place to notify the Supervisory Authority and the affected users.
Step 5: Who is responsible for GDPR compliance within your organization?
Someone within your organization should be responsible for GDPR compliance.
If you are based in the EU, you may need to appoint a Data Protection Officer (DPO). A DPO is a person with knowledge of data protection law, whose role includes monitoring internal compliance with GDPR and overseeing data protection strategy and implementation. However, appointing a DPO isn’t always mandatory: you can check the specific cases here.
If you are based outside the EU, you must appoint an EU representative, a person who can handle Data Protection Authorities’ requests on your behalf. Moreover, you may also need to appoint a DPO, as explained above.
Step 6: Can you fulfill your users’ requests?
Under the GDPR, users have specific rights, and you must be able to fulfil any request deriving from them. More specifically, it should be easy for your users to:
As you see, being GDPR compliant requires a series of careful evaluations. A careless approach could expose you to massive fines and official reprimands.
That’s why it’s always wise to seek professional advice or rely on quality software, like iubenda!
How iubenda can help
iubenda provides a full set of solutions to help you comply with GDPR, taking the guesswork out of compliance.