In 2015, the European Union passed the General Data Protection Regulation (GDPR), reshaping how organizations around the world can collect and process personal data. The goal of GDPR is clear: help consumers understand and control what kind of data companies collect, who it’s shared with, and what it’s used for.
The how of GDPR compliance is a little murkier. The law requires organizations to take steps to safeguard personal data and keep users informed of their data privacy rights but doesn’t specify what all of those safeguards should be. While this flexibility is meant to allow organizations to tailor their approach to their unique systems, processes, and customers, it can make it difficult for companies to ensure they’re complying with the law.
To help clarify what’s required to comply with GDPR, we’ve created an interactive checklist you can use to verify you’ve put the proper safeguards in place.
The first question to ask is: do GDPR regulations apply to your organization?
GDPR is a data privacy law that gives EU citizens and residents greater insights into and control over the personal data organizations collect and how it’s processed.
While the GDPR is EU legislation, it has far-reaching implications. GDPR applies to any organization that collects and processes personal data from EU citizens or residents — even companies outside of the EU. Any organization with a global presence should strive to be GDPR compliant.
What is GDPR Compliance? Understanding the Essentials of GDPR
The actual GDPR document is fairly lengthy — 88 pages of legal text that includes 99 articles and 173 recitals. If you’re interested in diving deeper into what’s necessary to become GDPR compliant, check out our article that explains GDPR requirements in detail. Here, we’ll summarize the essentials before jumping into the compliance checklist.
Whether your organization is a data processor or a data controller, it must have a valid legal basis for collecting and processing personal data. Under GDPR, these legal bases include:
Organizations are required to document their lawful basis and notify data subjects.
Organizations that use a data subject’s consent as its legal basis must be able to prove that it obtained that consent fairly. Data subjects have to be fully informed about how you process their data, and they have to freely and unambiguously agree to the processing of personal data.
In other words, you are required to explain to data subjects how you process their data and their data privacy rights under GDPR in clear, simple terms. Many organizations do this through a privacy notice that’s publicly posted on their website.
You can’t coerce or trick users into giving consent, and you can’t leave out details that keep them from exercising their rights under GDPR, such as their right to opt-out of data processing or request their personal data be erased.
Data subjects have certain rights under the GDPR that organizations are required to uphold. These include:
Organizations must establish “appropriate technical and organizational measures” to ensure any customer data that’s processed is properly secured.
The GDPR doesn’t specify an exact list of security measures, allowing organizations some flexibility in building an information security posture that suits their unique needs. Examples of data security controls are multi-factor authentication, data encryption, firewalls, user access controls, and security awareness training.
In the event of a data breach, GDPR requires organizations to notify affected data subjects within 72 hours (or have adequate justification for a delay).
Breach notifications must explain how many people and data records were affected, the likely consequences, and what the data controller has done to mitigate the effects of the breach. Notifications also need to include the name and contact information of the organization’s data protection officer.
Data protection officers (DPOs) oversee the organization’s overall data protection strategy. They’re responsible for ensuring employees are trained on GDPR requirements, completing regular compliance audits, and maintaining documentation to prove compliance.
Data protection officers also act as the main point of contact for both supervisory authorities and data subjects. If a data subject requests their personal data be erased, the data protection officer is required to respond to that request within one calendar month.
Organizations must take data privacy and protection into consideration when designing any new products or services. At every stage of development, companies need to limit personal data collection to what’s absolutely necessary to deliver the product or service, and detail the specific steps they’ll take to keep that data safe.
Whenever a data subject consents to data collection or processing, they are taking on a certain level of risk. Their data might be stolen or leaked in a personal data breach and used for fraudulent purposes. A Data Protection Impact Assessment (DPIA) explains how your organization identifies and minimizes those risks.
GDPR includes strict conditions for transferring personal data outside of the EU. When data transfers are allowed, GDPR requires both the data importer and data exporter to take appropriate steps to protect the personal data being transferred.
Because GDPR legislation is fairly complex, regular data privacy training is required to help employees handle different categories of personal data securely. GDPR training should explain what the law is and where it applies, data subject rights, the responsibilities of both data controllers and data processors, and how to respond to a cybersecurity incident.
What Do You Need to Know About GDPR Compliance Requirements in 2023?
To help you gauge your organization’s level of GDPR compliance, we’ve created this interactive checklist. Check out the steps below to verify you’re fully compliant, or identify and remedy any gaps.
*This checklist is intended as guidance only and is not a substitute for legal advice. Always consult with a lawyer to ensure your organization is fully compliant with GDPR.
