Best Practices For Data Handling Under GDPR

The GDPR, or the General Data Protection Regulation 2016/679, is a regulation that ensures data protection and privacy practices are followed in the European Union (EU). 

The GDPR is unfortunately hundreds of pages of law, so it might be difficult to understand what is expected of businesses eligible under GDPR. Businesses that interact with European customers, therefore, need to consider the ways they handle EU customer data as it can be critical to company success.

Here is our quick guide on data handling best practices under GDPR.

Overview of the GDPR Requirements

Before we dive into best practices, we wanted to give you an overview of what the GDPR entails.

What is GDPR?

GDPR is an EU regulation that aims to protect personal information collected by businesses for the right of EU customers. So while data collection is assumed to be necessary, the GDPR protects how that data is handled and what rights both businesses and customers have in this situation.

Key Points the GDPR Considers

The key principles the GDPR considers are:

  1. Data protection principles
  2. Accountability
  3. Data security
  4. Data protection by default and design
  5. What businesses are allowed to process
  6. Consent
  7. Data protection officers
  8. People privacy rights

Who Falls Under the GDPR?

First note that if you process personal data or offer goods or services to any EU citizen or resident, then the GDPR applies to you/your business. This includes businesses that aren’t located in the EU or who don’t fall under EU tax laws in other ways. 

Are Their Fines for Failing to Follow GDPR?

Fines for violating the GDPR are extremely high. The brief explanation is that there are two tiers, which max out at 20 million euros OR 4% of global revenue, whichever is higher. 

Data subjects (such as your customers) also have the right to seek compensation for damages. 

Glossary of Terms for GDPR

Personal data: Personal data includes any information relating to an individual to the point where they can be directly or indirectly identified. This includes any names, email addresses, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions. Pseudonymous data might also count as personal data. 

Data processing: Data processing includes any action whatsoever performed on data. This might be automated or manual, and might include collecting, recording, structuring, storing, or erasing. 

Data subject: This is the person whose data is processed. A data subject is essentially your site visitors and customers

Data controller: The data controller (in this scenario) is you; it’s the person or entity who decides how much data is processed and why.

Data processor: A data processor is a third party that processes data on behalf of the controller. There are special rules under GDPR for data processes. Cloud servers like Tresorit are considered data processors.

Best Practices Businesses Should Follow Under GDPR

The primary factors of the GDPR lie in the 8 core principles that it considers. 

1. Follow Data Protection Principles

Businesses must abide by the seven protection and accountability principles outlined in Article 5.1-2:

  • Data processing must be lawful, fair, and transparent.
  • Limit the number of reasons for process data, and only do so for legitimate purposes. 
  • Collect and process only as much data as you need. 
  • Keep personal data accurate and up to date.
  • You can only store personally identifiable data for its specified purpose.
  • Processing must be done with integrity and confidentiality. 
  • The data controller must be able to follow GDPR compliance and demonstrate to the GDPR.

2. Maintain Data Accountability and Responsibility

Data controllers have to demonstrate GDPR compliance. Here are things that businesses should do throughout:

  • Designate a member of your team in charge of following personal data protection responsibilities
  • Keep detailed documentation of the data being collected, how it’s used, where it’s stored, and who’s responsible for it
  • Train staff on how to properly collect sensitive data
  • Create a Data Processing Agreement with third-parties who process data on your behalf
  • Appoint a Data Protection Officer to monitor all data processing activity
  • Use Data Monitoring Software to keep on track of unauthorized data processing activities

3. Data Security

Keeping data secure is vital to GDPR success. This requires you to implement technical and organizational measures around data security. 

Things like two-factor authentication fall under data security. There are a number of best practices that you should be following. Consider end-to-end encryption, especially if your employees access the cloud for data and if you use third-party cloud providers. 

Implement staff training around data security and create a data privacy policy for the employee handbook. Only those employees who need to access personally identifiable data should do so. 

Keep a close watch on your company data with data monitoring software. This software will keep an eye on all the data you need it to, and it can even label the data and perform certain actions if it’s been triggered. 

In the case of a data breach, you have to inform your data subjects within 72 hours or you will face penalties. Of course, if you use technological safeguards like encryption and the data is useless, then you do not have to inform your data subjects. 

4. Data Protection By Default And Design

Under GDPR, everything your organization does must consider data protection a default design, including the design of a new product and/or process.

In every way, consider how data security and protection are involved. Continue to monitor all your data and data movement through employee monitoring. 

5. What Businesses Are Allowed To Process

You’ll want to consider the data you’re allowed to process. This can lend a hand to limiting the amount of data you’ll be responsible for and the amount of data that can be at risk of exposure.

  • EU data subjects gave you specific, unambiguous consent to process the data.
  • Sensitive personal data processing is required as part of a legal obligation. 
  • Sensitive personal data processing is quired to save someone’s life. 
  • Sensitive personal data processing must be necessary to carry out the job.
  • You have a legitimate interest to process someone’s personal data. 

Once a legal basis for data processing has been determined, you must notify the data subject and document that basis. 

6. Consent

Consent is extremely important under GDPR. Consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Clearly distinguished from other matters
  • Presented in clear language
  • Able to be withdrawn
  • Documented

You must also inform your data subjects if the parameters of the original consent have changed. You can’t obtain consent from children under 13 without parental permission. 

7. Data Protection Officers

You may need to appoint a Data Protection Officer (DPO). You require a DPO if you fall under the following: 

  • A public authority (who is not a court acting in a judicial capacity).
  • Your core activities require you to monitor people systematically, regularly, and on a large scale.
  • You perform large-scale data processing in special categories (listed under Article 9 and Article 10). Ex: Medical office. 

You can always appoint one even if you aren’t required to. They could be helpful not only for GDPR purposes but also in charge of your data monitoring and data protection policy changes.

8. People Privacy Rights

Data controllers and processes need to understand people’s privacy rights. This makes GDPR compliance much easier:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision-making and profiling.

Simple Tips Businesses Can Follow for GDPR

The GDPR can get confusing. But the straightforward answer is that your customers are trusting you with their personal information and it’s up to your business to keep it safe.

  • Trust your customer data as if it were your own
  • Don’t collect data you don’t need
  • Make sure you can trust third parties with the data
  • Invest in an employee monitoring software to protect unauthorized data movement
  • Ensure consent is provided by customers
  • Protect the people’s privacy rights
  • Document everything. 
  • Consider Zero Trust security for protecting sensitive customer data

Reach out to SoftActivity to get started with your data protection software today!

By SoftActivity Team.

January 17th, 2022