GDPR compliance work is often a complex and draining task on newly started companies. To make matters worse, consulting hours and GDPR-supporting tools are expensive. Understandably, many companies decide to look the other way and hope for the best. Either they spend a minimum of resources on GDPR in order to “pass the test” if data authorities should knock on their door one day. Or they decide to not deal with GDPR at all.
In my experience, the problem is not as much that companies are disinterested in becoming compliant, or refuse to prioritize GDPR because they think it’s silly. The real problem is that the GDPR work is too taxing for them at their current stage of development, and they simply do not know how to get started.
Compliance work can be motivated by either a carrot or a stick.
The carrot is business benefits such as increased consumer confidence, more personalized, effective communication with your customer base, and a better understanding of their needs, better data security, and decreased data maintenance costs.
If these benefits are still not enough to convince you to get started, the “stick-approach” may be. Fines for not complying with GDPR range up to €20 million or 4% of the company’s global revenue, whichever is higher (Article 83 (5)).
The aim of this post is not to go into a deep analysis or academic lecture on how GDPR works. Rather, I want to give you the tools and steps to get started straight away.
In the first part of this post, I will go through some of the core concepts and key provisions of GDPR to establish the legal framework.
In the second part, I will focus on practical steps that companies can and should take in order to ensure compliance.
Part One: The Legal Framework
GDPR applies when personal data is either processed by automated means or when the data form part of a filing system (GDPR Article 2 (1)). This means that, whenever a company stores personal data digitally on a computer, smartphone, tablet, etc., or manually in a structured registry, the rules of GDPR apply.
Personal data refers to any information relating to a natural person that can be identified, either directly or indirectly through pseudonymization. An IP address, for instance, is considered to be personal data because the user behind it can be identified. Personal data include names, identification numbers, location data, or any specific factor that points to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person (Article 4 (1)).
Processing means any operation which is performed on personal data. According to GDPR (Article 4 (2)), data processing is collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
An important distinction is made between data controllers and data processors. The controller is the owner of the data (temporarily) and determines the purpose and means of the processing (Article 4 (7)). The processor is processing the personal data on behalf of the controller (Article 4 (8)). In many cases, the controller and the processor will be one and the same.
Whenever personal data is processed, GDPR sets out a number of principles that the data processor should adhere to (GDPR Article 5 (1) and (2)) :
- Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (Article 5 (1) (a)).
- Purpose Limitation: Personal data shall be collected for specific, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5 (1) (b)).
- Data Minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. (Article 5 (1) (c)).
- Accuracy: Personal data shall be accurate and kept up to date. (Article 5 (1) (d)).
- Storage Limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary. Exceptions to this principle exist when the personal data is stored for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (Article 5 (1) (e)).
- Integrity and Confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5 (1) (f)).
- Accountability: The data controller shall be responsible for, and be able to demonstrate compliance with, these principles (Article 5 (2)).
Lawfulness of processing
Companies are only allowed to process personal data on certain legal grounds (Article 6 (1)). The legitimate grounds of processing are:
- Consent: The data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a).
- Performance of a contract: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b).
- Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6 (1) (c)).
- Vital interests: Processing is necessary in order to protect the vital interests of the data subject or of another natural person (Article 6 (1) (d)).
- Public interest: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (1) (e)).
- Legitimate interest of a third party: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6 (1) (f)).
Data controllers are generally not allowed to process sensitive information about people. These “special categories of personal data”, include data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (Article 9 (1)).
However, GDPR sets out a rather long number of exceptions to this general rule (Article 9 (2)). The data controller can process sensitive information on customers, members, subscribers, employees, etc., when:
- the data subject has given explicit consent to the processing (Article 9 (2) (a)).
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law (Article 9 (2) (b)).
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (Article 9 (2) (c)).
- processing is carried out with a legitimate purpose by a non-profit organization or union. (Article 9 (2) (d)).
- processing relates to personal data which are already made public by the data subject ((Article 9 (2) (e)).
- processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (Article 9 (2) (f)).
- processing is necessary for reasons of substantial public interest (Article 9 (2) (g)).
- processing is necessary for the purposes of medicine, medical diagnosis, health or social care or treatment ((Article 9 (2) (h)).
- processing is necessary for reasons of public interest in the area of public health ((Article 9 (2) (i)).
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (which is proportionate to the aims pursued ((Article 9 (2) (j)).
Data subject rights
Under the GDPR, data subjects have eight fundamental rights detailed in GDPR Article 13-22.
- Right of information: The data subject has the right to be informed when personal data is processed about them, including what the purpose and the legal grounds of the processing are. The right to be informed applies when the personal data is obtained from the data subject (Article 13), or from another source than the data subject (Article 14).
- Right of access: The data subject has the right to know whether data concerning him or her is being processed (Article 15).
- Right to rectification: When personal data is inaccurate, the data controller is obliged to correct it without undue relay (Article 16).
- Right to erasure (Right to be forgotten): The data subject has the right to ask for deletion of their data, for instance when personal data are no longer necessary in relation to the purposes for which they were collected (Article 17)
- Right to restriction of processing: In a number of situations, such as when the accuracy of the personal data is contested by the data subject, or when the processing is unlawful, the data controller is prohibited from processing, but obliged to storage the data, e.g. for the data subjects establishment, exercise or defense of legal claims (GDPR Article 18).
- Right to data portability: The data subject has the right to receive the personal data that he or she has provided to the controller, and transmit it to another controller without hindrance from the controller to which the personal data have been provided (Article 20).
- Right to object: The data subject has the right to object to the processing of their personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims (Article 21).
- Right to object to automated processing: This right provides the data subject with the ability to object to a decision based on automated processing, including profiling (Article 22). The purpose of this provision is to avoid algorithmic decision-making on legal and other significant matters without human involvement.
Part Two: How to get started
Step 1: Understand your data flows
The first thing you need to do in the ongoing process of becoming GDPR-compliant is to understand what kind of data your organization processes, where it is, and the conditions under which it is kept. A technical term for this is “data-mapping”.
In smaller organizations processing a limited amount of personal data, the data flow can favorably be mapped out in a spreadsheet, such as Excel or Word.
The point of a data map is to help you to identify and address potential privacy risks/issues. Additionally, GDPR sets out a requirement in Article 30 for certain companies (practically almost all companies) to keep a “record of processing activities” (ROPA), which would be impossible to make without a solid understanding of the How, What, and Why of the personal data processed in your organization.
To develop your data map, you can begin by asking yourself a few relevant questions:
- How is the personal data collected (e.g. paper forms, web applications, call centers, etc.), and where is the location (for instance, paper forms are often completed outside the business). Digital data may be stored at several locations at once, so it is important to track all sites that store it.
- Who is accountable for the data processing? (each processing activity should have an assigned person who is responsible)
- Who can access the data (e.g. employees, the data subject themselves, or their friends and family)?
- Is the data shared or disclosed to other suppliers and data processors?
- Does any of your systems share data with other systems?
By answering these questions, you will get a better grasp of your data flow.
There are several ways to make a data map. If you are the creative type, you may be able to make diagrams and flow charts of how personal data moves through your organization.
I recommend a simple approach; mapping out your systems, vendors, and data processing activities:
To map out your systems is not a direct requirement under GDPR. However, by mapping out your IT system, you will easily be able to locate which vendors you use, and where in your organization you process personal data.
It is a requirement under GDPR to enter into a Data Processing Agreement (DPA) with your vendor when they process personal data on your behalf (Article 28 (3)). With a full overview of your vendors, you will be able to locate which vendors you need to establish a DPA with. See Step 3. Additionally, GDPR only applies to the Member States of the European Union (Article 3). When companies in Member States transfer personal data to third-party countries (outside of the EU) or international organizations, the companies have to take specific security precautions which ensures that the purpose of GDPR is not diluted. See Step 4.
- Data processing activities
Under GDPR Article 30 (5), it is a requirement to keep records of data processing activities (ROPA) for companies of a certain size (250+ employees), or any other company, if:
- The processing is likely to result in a risk to the rights and freedoms of data subjects
- The processing is not occasional, or
- The company processes “sensitive data” under Article 9 (1),
Practically, almost all companies are covered by the definition of Article 30 (5). The ROPA shall be written and kept in electronic form (Article 30 (3)) so information can be added, removed, and amended easily.
The data controller’s ROPA shall include information on:
- The name and contact details of the controller and other relevant involved parties, where applicable (Article 30 (1) (a)).
- The purposes of the processing (Article 30 (1) (b)).
- A description of the categories of data subjects and of the categories of personal data (sensitive or non-sensitive data) (Article 30 (1) (c)).
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations (Article 30 (1) (d)).
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards (Article 30 (1) (e)).
- Where possible, the envisaged time limits for erasure of the different categories of data (Article 30 (1) (f)).
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1) (Article 30 (1) (g)).
Article 30 (2) sets out similar, but modified, documentation requirements for data processors, that include information on:
- The name and contact details of the processor, controllers on behalf of the processors, or other relevant involved parties, where applicable (Article 30 (2) (a)).
- The categories of processing carried out on behalf of each controller (Article 30 (2) (b)).
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards (Article 30 (2) (c)).
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1) (Article 30 (2) (d)).
With a detailed ROPA document at hand, we can show the surrounding world that personal data is treated responsibly in your organization. Creating the ROPA is the first and most fundamental step that will form the backbone of all GDPR-related procedures, policies, and security measures from now on.
Step 2: Create Privacy Policies
All data processing activities have now been mapped out and we also know which systems and vendors you use. If the data protection authority should knock on the door, you are able to document exactly how you process personal data in your organization.
While the data mapping exercise gives you the bird’s-eye view of personal data in your organization, the privacy policies that you put on your company’s webpage will show employees, customers, visitors on the web page, etc. that you take good care of their data.
You will typically make two privacy policies, one for employees/applicants, and one for customers/visitors on the website.
- Which categories of personal data that are processed (general information such as name, e-mail, address, or sensitive information such as religious beliefs or sexual orientation).
- The purpose of the processing (e.g. for marketing or advertisement purposes, to improve content, to notify visitors of the website about updates, etc. How and why are the personal data used?).
- The legal grounds of processing (e.g. consent or performance of a contract).
- Are personal data shared or disclosed to other parties? (e.g. a retailer may share a customer’s address with a courier to get their order delivered. It should also be addressed if personal data is transferred to a third-party country or an international organization).
- The rights of the data subject (as stated in GDPR).
- For how long is personal data stored? (As a rule of thumb data must be stored for the shortest time possible with certain, important exceptions. For example, national labor, tax, or anti-fraud laws may require you to keep personal data about your employees for a defined period of time. Or you may have to store information on your customers’ purchases due to product warranty duration).
- Security measures (see more under step 4)
- Information and contact details on the data controller/data processor
- The contact information on the national data authority in case the data subject wants to lodge a complaint
The purpose of the companies’ privacy policies is to show customers, employees, vendors, and other business partners that they calmly can entrust you with their data. It is also a requirement under GDPR Article 12 (1) to provide the relevant information to the data subject in “clear and plain language, in particular for any information addressed specifically to a child.”
Your privacy policies and procedures can and will continually be developed. GDPR is highly complex, and if you want to go into its depth, there are countless educational books (and counselors) to draw inspiration from. However, with a data map as described in step 1, and two privacy policies: one for employees, and one privacy for customers at hand, you are heading in the right direction towards compliance.
Step 3: Enter Into Data Processor Agreement With Data Controllers
According to GDPR Article 28 (3) processing by a processor shall be governed by a (binding) contract or other legal act under Union or Member State law. GDPR thus sets out an obligation for data processors to enter into formal agreements with their data controllers. Step 3 is to look at our list of systems/vendors, determine which ones are data processors, and then enter into formal agreements with them.
When asking ourselves whether a vendor is a data processor, we can look at the definition of processing in Article 4 (2). We should namely, consider where the personal data is maintained or stored. Cloud-based providers are typically considered to be data processors as they capture and store data on their own servers (or on third-party servers).
Virtually every business relies on third parties to process personal data. Whether it’s an email client, a cloud storage service, or website analytics software, you must have a DPA with each of them. Large corporations will often have standardized DPAs available from their websites (see Microsoft’s here).
Article 28 (3) explains that the DPA shall include the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Additionally, the contract shall address that the processor:
- Processes the personal data only on documented instructions from the controller (Article 28 (3) (a)).
- Ensures that persons authorized to process the personal data have committed themselves to confidentiality (Article 28 (3) (b)).
- Takes all technical and organizational measures to protect the security of the data (Article 28 (3) (c)) pursuant to Article 32).
- Will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (Article 28 (3) (d) with reference to Article 28 (2) and (4)).
- Assists the controller by appropriate technical and organizational measures (Article 32) for the fulfillment of the controller’s obligations, particularly with regard to data subject rights Article 28 (3) (e)).
- Assists the controller in ensuring compliance with regard to data processing security (Article 32) and consulting with the data protection authority before undertaking high-risk processing (Article 36) (Article 28 (3) (f)).
- Deletes or returns all the data to the controller, upon the termination of services (Article 28 (3) (g)).
- Make all information available to the controller necessary to demonstrate compliance and allow the controller to conduct an audit. (Article 28 (3) (h).
With DPAs you can guarantee that your collaborators live up to high ethical standards of data processing.
Step 4: Risk Assessment and Security Measures
In previous steps, we have mapped out your data and developed some procedures and policies to support your GDPR compliance. The next step is implementing technical and organizational security measures to minimize risks and to back up your GDPR compliance. Technical measures could be passwords or firewall protection, while organizational measures could be education of staff or access control to systems.
Under Article 32 (1) the controller shall take into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, when implementing appropriate technical and organisational measures to ensure a level of security.
Article 32 (1) implies that the data controller (and possibly the data processor) shall make individual risk assessments linked to the specific processing activities. In the individual risk assessment, the controller can for instance consider the nature of the personal data, as processing special categories of personal data involves a larger risk, than processing non-sensitive data. The controller should also consider if large volumes of personal data are processed, as a compromise in the security to a vast data amount entails risks to larger circle of people.
Article 32 (1) includes four examples of security measures that can be applied by the data controller:
- The pseudonymisation and encryption of personal data (Article 32 (1) (a)).
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services (Article 32 (1) (b)).
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (Article 32 (1) (c)).
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (Article 32 (1) (d)).
Where a type of processing, in particular, using new technologies (such as artificial intelligence for profiling or automatic decision-making) is likely to result in a high risk to the rights and freedoms of natural persons, the controller is obligated to carry out a risk assessment, prior to the processing (Article 35 (1)). I will not go further into that here, as we will soon drift away from the main purpose of this article; learning how to get started with GDPR as a newly started company.
We have now mapped out our data processing activities, implemented privacy policies, entered into processing agreements with our processors, and finally looked at technical and organizational security measures to protect personal data.
Step 5 and Beyond: Keep on going!
GDPR compliance is an ongoing task that will never be completed. The steps go on. However, if your organization does not process sensitive data, or process personal data in extraordinarily large volumes, the steps of this guide are all you need to get started. GDPR compliance may seem like an overwhelming task to begin with, but it should not take many work days to get a solid foundation in place. Over time, the foundation can gradually be advanced and expanded as the organization scales.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) ↑
- https://www.openaccessgovernment.org/the-five-key-business-benefits-of-gdpr/44554/ (31-03-2021). ↑
- IT Governance Privacy Team (2020), EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition, pg. 189. ↑
- Ibid. pg. 190. ↑
- Ibid. 193-194 ↑
- (https://gdpr.eu/what-is-data-processing-agreement/) (28-02.2021). ↑