The world of data is evolving at a rapid pace, as is the market relating to data. These days, data is treated as a commodity, as it is, in some ways, invaluable when it comes to marketing strategy in nearly every context. Given the way things have developed, legislative bodies around the world have responded with new laws and regulations designed to protect people whose data is being acquired, stored, bought and sold. On January 1, 2020, the California Consumer Protection Act came into effect, placing requirements on companies that deal with the personal information of California residents and households.
This was not the first law or regulation that was recently enacted that affects California businesses. On May 25, 2018, the General Data Protection Regulation, also known as the GDPR, took effect. It was passed by the European Union, and it serves to protect the interests of European Union citizens.
While this is a separate law enacted by a different legislature, GDPR compliance in California is something that businesses that fall under the jurisdiction of the GDPR need to achieve. Below you’ll find a GDPR compliance checklist that may help you take positive steps forward:
1. Does the GDPR Apply to Your Business?
The first step towards achieving GDPR compliance in California is determining whether or not it even applies to your business. Given the relatively broad language of the GDPR, it’s safe to assume that businesses in California that offer goods and/or services to residents of the EU – even if they are free of charge – will need to meet GDPR compliance requirements. The GDPR can apply even if a business merely “monitors” the behavior of EU citizens. If your company deals in data and some of your data or online traffic comes from the European Union, you should become familiar with the GDPR if you haven’t done so already.
2. Perform an Analysis of Your Data
Not all data is the same with regards to the GDPR. Assuming the law applies to your business, your next step should be to complete a thorough analysis of that data to include the following:
- A list of your processing activities
- The purposes for processing this personal data
- The type of data you process
- An internal list of who has access to this data
- A list of any third parties who have access to this data
- Steps you take to protect this data
- Any protocols in place for deleting this data
The question of, “What is GDPR compliance?” is most often answered by the information generated from the lists above.
3. Complete a Personnel Review
If your company handles any personal data of European Union citizens, do you have someone in place whose job is to manage and monitor how that data is handled? If your company has more than 15 employees, you may need to hire or name a Data Protection Officer in order to meet GDPR compliance requirements. This person would also handle any reporting duties and other steps that may need to be taken based on future events.
4. Put Tracking Systems in Place
If you haven’t done so already, you should consider having your business put tracking systems in place that can document and record what you do with the data you receive. This should include:
- Who handles data and when
- Where data is stored
- How data is protected
- Who accessed the data and when
- Who sent what to third parties and why
- If/when data is purged and how
If a situation relating to GDPR compliance requirements ever came about, having this tracking in place could save you a lot of time, money and stress.
5. Invest in Security for Your Data
The bottom line with regards to GDPR compliance in California, or anywhere else for that matter, is that it requires businesses that fall under its jurisdiction to take steps to protect personal data. As such, the GDPR doesn’t only govern businesses that voluntarily transfer data, but it can also find them in violation if their data is breached and the company has not taken adequate protective steps. It’s worth an investment to help show you intended to comply with the GDPR.
6. Prepare Steps for Obtaining Permission
One of the central GDPR compliance requirements is that businesses must obtain permission from people before collecting and using their personal data. This permission must be sought in a clear manner so that the individual whose data is in question gives his or her permission with an understanding of what’s happening.
7. Prepare Steps for Responses to Consumers
Another vital component to any GDPR compliance checklist involves the responses it has prepared for when people make requests regarding their data, which they are allowed to do. Generally, the GDPR grants several “rights” to EU citizens in regards to their data. These include:
- The right to access their personal data file
- The right to be informed that personal data is being collected and why
- The right to correct incorrect or incomplete data
- The right to have your data erased
- The right to have your data transmitted in usable form
There are other rights that could arise in certain circumstances, but your business needs to have steps in place to respond to these requests in a timely, compliant and trackable manner.
8. Prepare Your Data Breach Reporting Protocol
As mentioned above, GDPR compliance requirements are in place not only to deal with how businesses voluntarily handle personal data but also what needs to happen when that data is breached. This can happen to almost anyone at almost any time. According to a recent article published by CPO Magazine, over 160,000 data breaches occurred during the first 18 months of the GDPR that required reporting. What that means is that you need to prepare for a possible data breach so that you can report it properly. In this situation, the GDPR requires:
- Reporting the data breach to the appropriate authority within 72 hours
- A description of the nature of the personal data breach
- Providing contact information for the person in charge of that company’s data
- A description of the possible consequences of the data breach
- A report on the steps that are being taken to mitigate the damage done
When a data breach occurs, a company needs to issue its full report within a short amount of time. Given all that’s happening when a situation arises, it may be a good idea to have protocols in place ahead of time.
9. Update Your Privacy Policy
GDPR compliance requirements also include the need for companies that fall under its jurisdiction to have a proper privacy policy in place. The regulation is very specific in terms of the information that needs to be included in these privacy policies. A few examples include:
- Contact information for the person overseeing the data collection at the company
- The purpose and legal basis for the company’s processing of this personal data
- The legitimate interests of the organization collecting the data
- Any recipients of this personal data
- Safeguards in place for any international transfer of data
- How long the data will be stored
- The rights individuals have regarding their data
- The option for the individual to withdraw consent for use of their data
- The consumer’s options for filing a complaint with the proper authority
- Disclosing the existence of an automated decision-making system if one is in place
There are other requirements that can come into play if a company is providing personal data to third parties, but the point is that a lot of effort must go into crafting a compliant privacy policy under the GDPR.
10. Work with a GDPR Compliance Lawyer
While GDPR compliance in California does not require the help of an attorney, those who find themselves wondering about how it applies to their operation would be wise to seek this type of legal advice. These laws can and often do change, as do the norms and standards as more cases are filed.
If you’re still unsure about what actions your business needs to take after auditing for GDPR compliance requirements, it’s best to seek the advice of a GDPR compliance lawyer. Contact Kam Law Firm today to schedule a complimentary consultation so you can work with an attorney who can help you achieve and maintain compliance.