If you are collecting, storing, and handling any personal data related to an EU resident, you will have to comply with the General Data Protection Regulation. Fortunately, there are several steps that you can take which will help you comply. These steps need to be completed as soon as possible because GDPR has already come into effect.
The first step in GDPR compliance will be to access all of your data sources. You will need to investigate and audit the source regardless of the technology which is being used. When you access the data sources, you have to consider what data is being stored and the use of the data across your data landscape.
To comply with GDPR, you will have to consider if the data you collect is classified as personal data. According to the regulation, personal data is any information that can be sued to directly or indirectly identify a person. This will include the data that is traditionally considered personal such as name, address, and birth date. However, other information includes IP address, tracking cookies, and location, which are also considered personal data.
Once you have assessed your data sources and the type of data you are collecting, you need to look at the given consent. GDPR has been created to provide EU residents with more control over their personal data, including how it is collected, how it is stored, and its use. To enable this control, GDPR has guidelines regarding the way that consent will need to be given.
Consent will have to be voluntary, informed, and done through a positive opt-in. This means you will need to identify how you are getting consent from the people whose data you collect. If you have pre-ticked boxes or use inaction as consent, you will not be complying with the regulation. Additionally, if this consent is part of your general terms of service, you will not be compliant.
Make The Changes
Once you have identified how you gain consent, you will have to make the necessary changes. These changes will include how people can give their consent and how they can withdraw from this. GDPR states that individuals need to withdraw their consent easily, and when this happens, you will have to delete their data.
It would help if you also changed the disclosures you have to ensure they are easy to understand. Hiding your terms in legal jargon will be non-compliant, and you could face heavy fines. If your business handles large amounts of data or susceptible data such as medical information or ethnicity, you will have to appoint a data protection officer.
Another step in GDPR compliance is to have records of the data you keep, why you have it, and how long it will be kept. You also need to have a procedure in place for notifying the relevant authority and individuals in the event of a data breach. If you do not have this documentation, you will not be complying with the regulation.