How to Comply With the EU’s GDPR in 10 Steps
The European Union’s (EU) General Data Protection Regulation (GDPR) is a single EU-wide consumer data privacy law that strengthens consumer data rights while introducing significant data protection requirements and obligations for individuals and businesses that collect and process personal data.
Since going into effect in 2018, the GDPR has clarified data privacy law requirements and consolidated enforcement powers across EU member states – with severe penalties for noncompliance. Follow the 10-step checklist below to establish and maintain a GDPR compliance program.
[Download the full GDPR compliance checklist as a PDF.]
Who must comply with GDPR?
GDPR compliance requirements apply to companies and businesses that collect or process EU-originating personal data while offering goods or services to the data subject or monitoring their digital behavior – regardless of whether that data processing takes place within the EU.
This means that companies based outside of the EU may be subject to the GDPR when their data processing activities are linked to established business activities within the EU. For example, one single sales agent or employee operating in the EU may trigger GDPR if the processing of EU-originating personal data is in the context of business activities established within the EU.
What data is protected by the GDPR?
The GDPR outlines specific rights and protections for the personal data collected from individuals in the EU. Personal data is any information that can be directly or indirectly linked to an individual. The GDPR specifies additional requirements for sensitive personal data.
What happens if you violate GDPR?
EU member states must appoint a supervisory authority (or authorities) to monitor GDPR compliance within their country. These supervisory bodies can fine noncompliant companies up to 4% of global revenue or €20 million for personal data breaches, whichever is higher.
GDPR program compliance checklist
These steps will help businesses ensure they remain GDPR compliant and avoid hefty penalties.
[Download the full GDPR compliance checklist as a PDF.]
Step 1: Designate a Data Protection Officer (DPO)
If required, designate a DPO with the requisite knowledge, documented responsibilities, and sufficient authority, budget, and access (reporting to the most senior level of management).
Step 2: Establish project team or GDPR working group
Identify stakeholders to execute measures to assist the DPO in assessing, developing, remediating, and maintaining the GDPR program.
Step 3: Deliver awareness and training
Keep employees, management, and as-needed third parties aware of GDPR requirements through periodic notices and training on your GDPR program.
Step 4: Evidence governance and accountability
Review and update privacy/data protection policies, procedures, and management reporting to assure compliance with GDPR.
Document compliance with the GDPR’s seven governing privacy principles.
Step 5: Maintain privacy notices and consents
Review how you seek, record, and manage consents, and update as needed to assure concise, simple, transparent, and timely consents that can be readily accessed and withdrawn.
Review privacy notices to confirm GDPR-compliant content, delivery, and timing, and update as needed.
Step 6: Assess and inventory data processing activities
Regularly inventory data flow sources and conduct periodic data protection impact assessments for data processing likely to be high risk to a data subject.
Implement appropriate technical and organizational measures to show you have considered and integrated data protection into your processing activities.
Step 7: Maintain data breach procedures
Maintain procedures for handling data breaches to ensure they are detected, reported, investigated, and managed, as well as recorded in a timely manner.
Step 8: Comply with data subjects’ rights
Assure your processing controls comply with data subjects’ rights to access, rectify, erasure, object, and data portability and to lodge a complaint, among other rights.
Step 9: Maintain compliant third-party engagements
Screen third parties and maintain engagements documented via contracts that integrate GDPR program requirements.
Step 10: Maintain program
Monitor and audit your GDPR program regularly for compliance and update as needed to reflect changes in regulations, operations, feedback, and review results.
[Download the full GDPR compliance checklist as a PDF.]
Navigate complex GDPR requirements and avoid costly penalties with Bloomberg Law
The far-reaching scope of the GDPR means companies around the world must take action to comply if they wish to do business in EU member states. Watch the on-demand replay of our latest In-House Forum, Global Privacy Dynamics: Navigating Data Laws and AI Challenges, to hear important privacy issues facing in-house legal teams with legislative and regulatory updates and insights for evaluating new technology and consumer data policies.
Stay on top of the dynamic field of GDPR regulations and other major consumer data privacy laws around the world with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law.
Request a demo to see it for yourself.