GDPR compliance – what companies need to do

GDPR compliance, including the seven principles of GDPR, and the importance of integrating it into the company framework.

GDPR Compliance

GDPR compliance is different for every company. Any organisation that is not already compliant with the GDPR must take steps immediately to rectify this, or risk heavy financial penalties.
Seven principles for GDPR compliance.

To make GDPR compliance easier to understand, there are seven core principles covering how companies must process data. These are:

Principle 1: Transparency, fairness and lawfulness

Any and all data processing must be legally compliant. Information must be collected fairly and used appropriately. Users must fully understand exactly how their data is being used and for what purpose.

Principle 2: Limitation of purpose for data processing

The reason the company is processing user data must be declared immediately. This purpose of processing must then be recorded and can only be changed after this if the user consents.

Principle 3: Minimising data usage

Companies may only collect data that is needed for the stated processing purpose. No other data can be collected, processed or used in any way.

Principle 4: Accuracy at all times

All possible steps must be taken to make sure that any collected data is fully up-to-date and accurate.

Principle 5: Limitations on storage time

Data must not be kept for longer than necessary for the company to complete the task they needed it for.

Principle 6: Confidentiality and integrity

Companies must put in place adequate cybersecurity to ensure that personal data collected from individuals is stored safely and is protected from potential breaches.

Principle 7: Accountability

Companies are totally accountable for the way they process and handle data and how they comply (or not) with GDPR.

The official regulations cover a number of extra features that are included to ensure companies know how to comply with GDPR. Companies should use these to restructure their businesses and govern how they communicate with customers.

Privacy by Design (PbD)

This practice refers to building compliant data protection into the framework of the business.

Article 25 of the GDPR official regulations says:

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”

In other words, data collection should be minimised purposefully by the company. PbD has been around as a concept within data protection for a while, but now it is a legal requirement within the European Union.

In order to properly implement PbD, companies must ensure data integrity is within the design stages of a project and throughout development and delivery.

Companies must secure consent

GDPR demands that companies obtain consent from users to process their data.

It must be made clear to users that their consent can be withdrawn at any time. Companies should ensure it’s as simple to withdraw consent as to give it.

Article 4 identifies usable consent as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which her or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her.”

It’s essential the user understands exactly what they are consenting to through an action they have to take themselves. This could be ticking a checkbox on a website or selecting settings when they sign up to an app.

Consent can’t be presumed or assumed. Therefore, the language companies use to communicate the need for affirmative action from the user must be clear, accessible and easily understandable.

Find out more about consent here