GDPR Cheat Sheet (What You Need To Know)

GDPR Cheat Sheet (What You Need To Know)

Share this content

What is the GDPR?

GDPR stands for General Data Protection Regulation. It's a European digital privacy legislation. It sets our rules regarding personal data designed to give the EU residents more control over their personal data.

It applies to all organisations within the EU, as well as those supplying goods or services to the EU or monitoring EU citizens.

Why is the GDPR important?

TLDR: It protects and gives control to users in the face of a trillion-dollar data selling industry. If you do something wrong, big fine.

Today almost every service we use collects our data.  From social media companies to banks, retailers, and governments every service requires the collection and analysis of personal data.

They collect data that they ask from us (contact details, work-related data...) but also some that we don't give up.

Before the GDPR, a company would be able to do more or less whatever they wanted with this data. Today this has changed as it limits what companies can do with that information.

The reason for them toning it down is the big fines. GDPR fines can go up to €20 million (about $25 million USD) or 4% of the company’s global annual revenue (whichever is greater) and the average fine for an SME is €40,000.

Do you need to comply with the GDPR?

If you're a business with an online component, 95% of the time yes. Here's the TLDR:

Do you process personal data?

Personal data is any that can be used to identify an individual directly or indirectly. For example name, email address, passport number, date of birth...

There's a catch:

It doesn't have to be a data point. Look at the stormtrooper with a shoulder pad. Say that we know the id of every stormtrooper and we also know if they wear a shoulder pad or not.

We can directly identify the stormtrooper with the shoulder pad! That means that things that are not directly obvious as personal data could be personal data too as they identify people indirectly.

Stormtrooper Id -> identifies them directly

Do they have a shoulder pad -> doesn't identify them directly

If we have a group in which only 1 stormtrooper has a shoulder pad:

Do they have a shoulder pad -> identifies them directly

Do you offer services in the EU?

1. If your company is based in the EU that processes the personal information of EU citizens and residents.

2. If your company is not based in the EU but offers products or services to EU citizens or residents or monitor their behaviour.

What does it mean to "offer products or services"?

Some interpretations state that having a website in the language of one of the member states (English, Spanish, French) is enough for you to qualify as offering products or services.

GDPR Compliance Checklist

The best practices or the minimum set of steps to ensure compliance with the GDPR can be classified as –

Step 1 - List all the data categories you use

The categories can be summarised as follows:

  • Contact Details (email address, address, phone number, name)
  • Financial Data (credit card number, bank account number...)
  • Household and Relationships Data (emergency contact, marital status...)
  • Identifiers and Legal Documents (Public Health Number, Passport Number, Proof of Residence)
  • Activity and Behavioural (Follower list, Friend Requests...)
  • Personal Characteristics (Sex, Nationality...)
  • Location Data (GPS Location, tracking data...)
  • Communications Data (Instant messaging, social media posts about an individual)
  • Images and Recordings (CCTV Footage, images, videos...)
  • Views and Opinions (Survey responses, testimonials...)
  • Work-related Data (details of grievance, disciplinary proceedings...)
  • Technical Identifiers (IP Addresses, Mac Address...)
  • Criminal Records

Step 2 - List all the Sensitive Personal Data Categories that you use

Here's a list of sensitive personal data categories also called special category data:

  • Racial or Ethnic Origin
  • Medical Data
  • Sexual Orientation Data
  • Biometrics Data
  • Genetic Data
  • Political Opinions
  • Religious or Philosophical Beliefs
  • Trade Union Membership
  • Sex Life Data

Step 3 - List all the categories of individuals (or data subjects) that you process data from

Examples include:

  • Website Visitors
  • Customers
  • Staff
  • Temporary Staff
  • Patients
  • Children (under the age of 16)
  • Children (under the age of 13)

Step 4 - Write out all the purposes for which you use data

Consider all of the activities within your organization and take into account the parties involved. This will guide you across all scenarios relevant to this data security exercise. Examples include:

  • Processing Payroll
  • Offering your goods and services
  • Customer Support
  • B2B Email Marketing

Step 5 - Put all the above steps together.

For every purpose for which you process data, select whose data you're processing (individual), which data are you processing (sensitive personal data categories and personal data categories).

Repeat for every single purpose for every individual for every category of personal data.

Step 6 - Choose a legal justification (sometimes called legal basis)

For every purpose, individual, category combination you must choose the right legal basis so that you are processing data in a legal way.

Step 7 - Creating a Privacy Policy

Your Privacy Policy should include the name of your company, explain what and why the company is collecting information (you mapped this in the last steps) and rights that users have. This privacy policy document should be easy to read and easy to find by the users.

Step 8 - Make the Privacy Policy publicly available

Users must be able to read it before any data is collected from them.

Step 9 - Review these steps every quarter

GDPR Compliance is an ongoing process. Your company as it grows can change a lot from one quarter to another and naturally so does your data.

Breach Notification

GDPR Breach Notification requirements have become increasingly important for businesses of all sizes. If a business fails to adhere to the notification regulations laid out in the GDPR, then a hefty fine can be applied.

Thankfully, with the right resources and education, businesses can properly prepare themselves to protect sensitive information safely. It's important to ensure that all employees are regularly trained on best practices.

Employers should also stay up-to-date on any changes or updates to breach notification laws so that their business is knowledgeable and compliant with current regulations. With the right preparation and dedication, any business can ensure they meet the expectations of GDPR Breach Notification regulation while preventing disaster down the road.

Pseudonymisation And GDPR

Pseudonymisation is a powerful tool when it comes to GDPR compliance. It works by replacing or obscuring personally identifiable information with a pseudonym, making it easier to accurately identify people while still protecting their privacy. This process helps reduce the risk of security breaches as well as helping keep data sets secure and compliant with the GDPR. It's an effective way to meet GDPR requirements for certain types of legally-mandated data protection measures, such as consent and notification. Plus, data collected through pseudonymisation will often be summarized more accurately without sacrificing the privacy of individuals within the data set. All in all, pseudonymisation is an important element of any comprehensive GDPR strategy and should be considered for its potential benefits.

Conclusion

If you think that you may not have all the knowledge necessary or time to go through the steps above. You can always try our solution by going to https://app.privasee.io, most of our users complete all the steps and even get a cookie policy and a GDPR Essentials Certificate in less than an hour with our GDPR Compliance Software.

This compliance checklist is not exhaustive and you should take the necessary procedures to ensure there are no consequences to your own data subjects. As an example, we recommend you have other security measures in place like appoint a specific Data Controller to avoid penalties.

Disclaimer

This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.

February 15, 2022

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

We are here to help