If you were scrolling through LinkedIn at all the first half of the year, you likely saw many a person in your network freaking out over GDPR. They were asking questions about how to comply with GDPR and what it would mean for their business.

There was such a mania surrounding these new data privacy laws in Europe because they applied to everyone who did business in Europe. They even applied to anyone who had an online presence that targeted Europeans.

Perhaps you’re wondering if your organization has met GDPR requirements or if it needs to, given your customer base. In this article, we’ll cover the basics of this Regulation and the specifics about complying with GDPR articles.

What is GDPR?

The General Data Protection Regulation (GDPR for short) is a new set of data privacy laws. They lay out exactly how companies doing business in the E.U. can collect and use consumer data.

This piece of legislation stemmed from the E.U.’s concern with how large internet companies were collecting consumer data then exploiting it or not doing enough to protect it. It also enforces Articles 7-8 of the Charter of the Fundamental Rights of the European Union which was drafted in 2000. This document lays out the E.U.’s stance that personal data protection is a fundamental human right.

The GDPR officially went into action on May 25, 2018. Any company found to not be in compliance with GDPR can be fined twenty million euros or more, depending on the scope of violation or non-compliance.

Who Needs to Follow GDPR?

These GDPR articles apply to any company that offers goods or services in the E.U. to E.U. citizens and wishes to collect data on them. They also apply to organizations outside of the E.U. who target content toward European citizens.

Organizations in the U.S. had previously been operating under “Safe Harbor Privacy Principles” which were agreed upon in 2000 These guidelines met adequate levels of personal data protection but not necessarily the standard the E.U. set forth.

What Types of Personal Data Does GDPR Cover?

When it comes down to it, GDPR covers pretty much every type of personal data point you can imagine.

It covers obvious information like consumer names, addresses, credit card info or bank details, and GPS location.

Less-obviously it encompasses email addresses, IP addresses, and users’ posts on social media channels.

What has thrown many companies through a loop is that raw, anonymized data that can be traced back to the individual is also included in GDPR’s guidelines.

Here's How to Comply with GDPR

We’ll be honest, the GDPR guidelines are long and complex. You can read them in full here, but here’s basically what they say broken up into four main buckets:

Justification for Your Need for Personal Data

  1. You received explicit user consent to collect data.
  2. You have a need for the data to comply with another law.
  3. You require the data to protect someone’s life.
  4. You need personal data to fulfill contractual obligations with the particular user.
  5. You are a government entity or public authority and need the data to complete your responsibilities.
  6. Your organization has a “legitimate interest” in the data – a reason that requires extra documentation.

Under GDPR guidelines, you can only collect personal data if you have a legit reason for doing so. You can’t just go make up a reason here. Your justification will need to fall under one of six legal reasons to collect data:

Before your business collects user data, you must select and report which justification you’re using to collect the data. From there, each legal reason has its own subset of rules that you must follow.

Users Get Control of Their Data

Once you’ve given your reason to need to collect data on European users, you must give them control of their data. These are the eight rights users have when it comes to their data that you collect:

  1. Informing your users that you’re collecting their data, why you’re doing it, how long you’ll keep it, and what you’re doing with it.
  2. Providing a user with all of their data if they request it.
  3. Correcting a user’s data if he/she says it’s incorrect.
  4. Deleting a user’s data if he/she requests it.
  5. Stop processing a user’s data if he/she requests.
  6. Transfer a user’s data if he/she is moving from your service to another service provider’s.
  7. Users can reject their information being used for certain applications like direct marketing.
  8. You must meet additional requirements like informing your users if an AI model is using customer data to make decisions.

Basically, users need to know you’re collecting their data and they have the right to say how and when you use it.

Keep Your Users’ Data Secure

If you’re a corporation collecting users’ data, hopefully you’ve already taken the necessary measurements to protect their data. In fact, any reasonable company would want to put network security measures in place. It would be not only to protect their customers’ data but also the company’s private documents, IP, and other valuable assets.

As part of GDPR, you are expected to regularly test your cyber security and build it into your network’s design process. Don’t expect to be able to slap on a security plugin and call it a day.

If your organization is hacked and users’ data has been compromised, you have 72 hours to inform regulators under GDPR.

Document Everything and Establish Data Governance

Keeping track of and documenting your efforts to acquire and secure user data will help you prove your compliance with GDPR. The purpose of this section to create accountability within each organization that does business in Europe.

In terms of specific requirements, you’ll need to have written records about why you collect customer data, your retention policies, and your security policies.

We’ll be honest, the GDPR guidelines are long and complex. You can read them in full here, but here’s basically what they say broken up into four main buckets:

GDPR Compliance Is Possible

After getting through this article you might still be wondering how to comply with GDPR. There’s so much to cover and the information is a bit overwhelming.

Even if your organization still has some ground to cover, know that GDPR compliance is attainable and that being compliant with this Regulation will help your business in the long run.

You can read more about GDPR compliance on our blog.

If you enjoyed this article, please share it