What does it mean to be GDPR compliant?

How does a business become GDPR compliant? Besides creating a privacy policy or updating your website terms and conditions, your business may also need to reconsider the way it collects and manages user data.

While we can’t offer legal advice specific to your business, we’ve put together a summary of the major changes introduced by the GDPR and what business should keep in mind in order to comply.

What are the GDPR compliance requirements?

The purpose of the GDPR is to better protect the privacy and personal data of EU citizens. This is achieved through a set of “data subject rights” and requirements which organisations must uphold.

Some key areas that businesses must consider include:

• Getting informed consent to track, collect and share personal data. This could mean tweaking your opt-in and opt-out consent mechanisms for email subscribers or adding a cookie consent banner to your website.
• The right to access. Consumers should be able to easily request and access the personal data that an organisation has collected about them.
• The right to be forgotten. Consumers have the right to request the deletion of any personal information that an organisation has collected about them.
• The right to data portability. Consumers have the right to request a copy of their personal data and easily transfer it to another organisation. This ensures that consumers can use their data to benefit from other online services.
• Breach notifications. In the event of a data breach, organisations must notify affected users and a supervisory authority 72 hours of the breach’s occurrence.
• Privacy by design. When it comes to creating new products and services, organisations must put privacy at the forefront of the design and development stages. For instance, a preventative measure that businesses can take against data breaches is “pseudonymisation”, a process in which parts of a data record are replaced with a pseudonym, so that it can still serve its intended use without being linked to a specific person.
• Appointing a Data Protection Officer (DPO). If a business processes personal or sensitive data on a large scale, they must hire a DPO to ensure they carry out their compliance obligations. Either way, the regulation expects all data controllers to have someone within their organisation who oversees compliance.

How will the GDPR impact business?

From data sharing to database marketing, what was once considered “business as usual” is now tightly regulated to ensure that customers have full transparency and control over their personal information.

Besides ensuring your own conduct is kept in check, business owners must also evaluate whether a third-party vendor is GDPR-compliant before sharing customer data with them. As the data controller, you would be liable for any penalties that arise if that data is used unlawfully.

Start your compliance journey now

Although it takes more than a GDPR-ready privacy policy to be truly fit for the GDPR, a properly written policy is a great starting point for developing products, services and organisational practices that suit your business and industry.

We recommend all our customers enhance their GetTerms.io documents with the help of professional legal advice, to get a tailored roadmap to GDPR compliance.

Start your compliance journey right. Generate a privacy policy now.