Things to consider for compliance

1. Data that GDPR protects

   The regulation protects the following data:

   • Personal data that relates to an identified or identifiable "individual," for example:
     • Name, address, and/or ID numbers
   • Web data such as location, IP address, cookie data, and RFID tags
   • Special Category Information, for example:
     • Health and genetic data
     • Political opinions
     • Biometric data
     • Racial or ethnic data
     • Sexual orientation

2. Being GDPR compliant is not easy

   Thorough planning is required, and several factors must be considered, including:

   • The storage, transfer, access, and security of electronic information
   • Document retention schedules and their implementation
   • Written proof of compliance
   • Documentation pertaining to data protection
   • The type of data that is being stored and transferred
   • Incorporation of newly-created data
   • Data accessibility
   • Data content

3. Data Protection Officer

   A Data Protection Officer (DPO) is required in some circumstances. Part of their role is to follow a strict protocol to identify personal data that the company processes and ensure its protection under GDPR guidelines.

4. Understanding the content of the personal data

   Companies should understand the nature of the personal data that they are storing and not just identify where the data is stored. They should understand whether the personal data is legally binding by nature (like in contracts and in agreements) or what other legal basis they have for processing personal data.

5. Data mapping

   It’s impossible to ensure security if the DPO doesn't know the location or the content of the corporate data. If the corporation’s data map is incomplete, there should be a discussion with IT stakeholders. Going forward, collaboration between all business areas, IT, management, and the corporate legal department is very important for a comprehensive data management plan – which again is a significant step toward GDPR compliance. It should be noted that personal data possessed by third-party providers, including cloud service vendors or data archival companies, also comes under the purview of GDPR compliance.

6. Taking customer’s consent

   Consent of an individual is one of the bases for data storage and transfer. A company must provide a clear affirmative statement by a customer, allowing the former to process and utilize their data. Similarly, an individual has the right to know where their data is being stored and how it is being processed. They also have the right to reprimand the company for storing inaccurate information, demanding correction or deletion. It should be noted that consent is not the only basis to process personal data. Under GDPR, there are six legal bases that can be applied to the processing of personal data. They are:

   • Consent
   • Contract
   • Legal Obligation
   • Vital Interests
   • Public Task
   • Legitimate Interests

7. Sending security alerts

   It is important for a company to have adept technical support to avert data breaches. If there is any breach, it should have provisions to inform the individual and the company. The company should be able to tell its customers specifically as to what was exposed. The GDPR introduces a duty on all organizations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.

8. Monitoring data transfer

   GDPR lays great restrictions on personal data transfer. Corporate entities should have an enforceable plan to prevent unauthorized data transfers. Transfer of data outside of the EU should meet GDPR requirements first. A series of queries pertaining to the content of the data need to be answered. If the data is extra sensitive, additional restrictions must be imposed. If needed, permission for transmission can also be revoked.