Overview: How to comply with GDPR

Does your business have a good handle on GDPR and on how you process personal data? Get the overview here.

Virtually all businesses that come into contact with personal data are subject to local laws and regulations. In the EU and EEA that means GDPR. For this reason it’s important that you know the requirements for how you correctly process personal data.

Below you can read about the EU directive and how it applies to personal data – as well as get a few tips on best practice for processing personal data:

  • What is the General Data Protection Regulation (GDPR)?
  • What businesses are subject to GDPR?
  • What is a Data Manager and a Data Processor?
  • What is a DPO (Data Protection Officer)?
  • How to comply with GDPR
  • Storing personal data – when and for how long?
  • Rights of private individuals
  • Ongoing audits and the principles of accuracy
gdpr image 1

What is the General Data Protection Regulation (GDPR)?

GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area.

The regulation applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.

Its official name is:

EU law icon

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

As an EU regulation and directive it is, strictly speaking, not an actual law. Instead it’s a legally binding agreement between all EU and EEA countries, which they are required to then interpret and implement in their local law.

That means that, while GDPR is binding and sets out to give specific directions regarding personal data, there can be variations and minor differences from country to country. It often acts as a basic framework that is then expanded upon by the individual country.

Audit icon

Oversight

Different countries in the EU and EEA have different supervisory or regulatory agencies. These ensure that GDPR is upheld and guide local governments, businesses and organizations in how to be GDPR-compliant.

Which businesses are subject to GDPR?

GDPR applies to virtually all processing of personal data i.e. all information that can be connected with or identify a specific person.

Read more about personal data and the different categories.

As the regulation is geographically specific to the EU and EEA, it only applies:

To be concise: almost all businesses with an affiliate with the EU, whether this applies to them or their clients/customers, are subject to GDPR.

What is a Data Manager and Data Processor?

And what’s the difference?

According to the GDPR, it’s important to fundamentally separate the two specific roles that both process personal data.

You can either be a data manager or a data processor.

Data Manager and Data Processor illustration

There are different requirements for the two roles. That’s why it’s important to know which is which and who is who, before you start to process personal data.

Data Manager

The data manager defines the purpose and procedure for how personal information is processed. As data manager you are obligated to ensure that:

Data Processor

As a data processor you solely process the personal data on behalf of the data manager. You do not have any influence on the purpose or procedure you operate under.

A data processor can, for example, be a software provider for the services used to store data on the servers, or a different type of provider of an automated processing of personal data, wherein you do not directly have any access to the data.

Because the relation between data manager and data processor involves the exchange of personal data, it’s important that there is a data processing agreement in place that clearly defines the exact relation between the two. A template for this can be found on GDPR.eu.

What is a Data Protection Officer (DPO)?

There can also be a third role: DPO or Data Protection Officer. You might have come across this term before, but what does it mean? And should your business have a DPO?

Data Protection Officer illustration

The role of DPO is to advise on the requirements of GDPR and guide the data manager in how they can fulfill these requirements. It’s important to note that the DPO is not responsible for whether or not the business is compliant with GDPR or local law.

Governmental agencies are required to – regardless of whether they’re data managers or data processors – appoint a DPO. Private companies are only obligated if all of the following three conditions apply:

When is processing of personal data a ‘core work activity’?

Most organizations perform some type of processing of personal data but GDPR differentiates between non-core work activities and core work activities.

Non-core work activities can generally be said to be activities that support core work activities. For example, most businesses come in contact with a certain amount of personal data in regards to employee data and personal data related to sales and different types of support. These are considered to be non-core work activities.

According to GDPR, the processing of personal data is a core work activity, if what a business is looking to sell is irrefutably connected to personal data. This could, for example, be:

Core work activity illustration

These are all examples of business activities that are centered around processing personal data, and where the output depends on the information obtained and processed.

How to comply with GDPR

GDPR necessitates a risk-based approach similar to, for example, anti-money laundering initiatives.

A risk-based approach means that, whether or not the business is a data processor or a data manager, you are obligated to perform an assessment of the types of data that is stored or processed by the business. Then you need to make sure that there are organizational and technical security measures or safeguards in place that correspond to the assessed risks.

Technical security measures

Organizational security measures

Examples include strong firewalls, ongoing updates of codes and systems, encryption and a strong IT-infrastructure.

Examples include described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.

To comply with GDPR, businesses need to have:

Read more below.

How do you perform a risk assessment?

Risk assessments will typically evaluate, or assess:

On the basis of these factors you can assess whether the risk is acceptable, or if you need to implement new safeguards to minimize the risk of data being stolen or leaked.

There are also requirements for documentation of your considerations regarding the procedures.

Policies

Most businesses have set procedures and policies in place that streamline and systematize work activities. In the same way, it’s a good idea to define policies and procedures for the processing of personal data.

Typically you’ll divide personal data policies into whether they pertain to personal data about employees or clients/customers. A personal data policy for clients could, for example, contain the following:

Business procedures

The business procedures should be in an internally accessible document that has been written to support the work flow and procedures you’ve agreed upon. A business procedure is often a relatively detailed description about how you handle personal data with specific procedures for how your business – in its day-to-day activities – make unnecessary data is deleted, and how you share data with others whether that’s with colleagues or external data processors.

Audits and documentation

Simultaneously you need to be able to document that your processing of personal data is in accordance with GDPR and local law. You, for example, need to document how you delete personal data after the end of a business relationship.

A business can have multiple procedures regarding how and how often they delete data. But according to GDPR it’s essential that it’s written down or somehow documented, so that the proper regulatory agencies can audit your actions and thus ensure that you’re complying with GDPR.

The documentation requirement can be supported by IT solutions that can even automate some of the necessary processes.

Storing of personal data – when and for how long?

Businesses can store personal data as long as they:

The legal right regarding storage of personal data is defined as:

Normally, the business or governmental agency has sufficient legal right if just one of the above criteria have been met.

A legitimate purpose is basically defined by common sense.

Ask yourself: What is the purpose of storing the given personal data?

If you don’t have a legitimate purpose then the data needs to be deleted.

Job applications storage illustration

Example

Six months ago the company had a job posting looking for a legal aid. They had many applicants but have since closed the entire department and do not plan to hire legal aids ever again.

Does the business still have a legitimate purpose for saving resumés and applications? Here, the answer is no.

As long as a business has the legal right and a legitimate purpose, then the business can continue to store data. As soon as this is no longer the case, the data should be deleted.

Rights of private individuals

With the implementation of GDPR, private individuals gain the right to access the data businesses store about them. This is often called access rights or subject right:

The data and information you can request includes:

This is to ensure that the data is verifiable, accurate and that the processing is performed on the basis of sound legal authority.

Ongoing audit and the principle of accuracy

As a business you are obligated to make sure that the stored personal data is accurate and that wrong or false information is deleted.

This is also called the principle of accuracy.

The principle does not only revolve around the duty of deleting or correcting information that you’ve been informed is wrong. You also have an obligation to actively seek out and verify the accuracy of your data.

This could for example be done by you continuously comparing the data you obtain with searches in registries and databases with publicly available information, or that you periodically request verification from the individual that the information is about.

Ongoing audits and accuracy illustration

The extent of how thoroughly you need to verify the information’s accuracy and authenticity, and how frequently you need to repeat this process, depends on the data you are processing. The more sensitive – and therefore the greater importance the information holds to its owner – the more procedures and fail-safes you need to implement to protect against this outcome.

NewBanking – Processing personal data easily and securely

If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone.

Luckily, there are a number of good solutions for the business challenges of processing data.

NewBanking Identity is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.

For businesses there are a number of benefits from using NewBanking Identity:

Onboarding

Onboard your clients digitally on secure channels.

Validation

Setup your own requirements for validation of information.

Documentation

A full audit trail and overview of the performed actions and consent for processing.

Processing

With NewBanking you comply with all legal requirements, both GDPR and AML.

Curious about NewBanking Identity?

Then request a free demo.

Book a demo