Overview

GDPR (General Data Protection Regulation) is a massive privacy law that has been enforced since May 25th, 2018. Its main drive is to make sure that EU citizens’ data is constantly protected, no matter if the company that is processing the data is within the borders of the EU or not. This makes GDPR a law that affects most of the world, in some way.

GDPR combines the need for the customers’ data to be taken care of, and the massive fines for failing to protect said data. At the same time, customers would have it easier when it comes to controlling their data, as well as with understanding of the processes such as data processing or data collection. While implementing GDPR within a single company might seem like a hassle, it is worth it in the end since you’re effectively telling your customers that their data is safe, no matter the situation.

GDPR compliance

Compliance with GDPR means meeting all of its rules and regulations. The ability to demonstrate all of the policies and rules that are enforcing GDPR-related regulations within your company are also a part of the definition of GDPR compliance. 

Additionally, some of the GDPR’s regulations are vague on purpose, for the European Union to have better control over penalties for non-compliance. One popular example of such vagueness is the need for a company to have a level of processed data protection that is “reasonable”, and there is no explanation of what is implied under “reasonable” in the first place.

On the other hand, such an approach allows for the regulations themselves to be more flexible and not as rigid. For example, the same “reasonable” level of protection more often than not implies that the amount of protections for specific data types depends on the importance of said data. 

Tips for GDPR compliance

GDPR compliance includes a lot of different elements and regulations, but it is possible to discern several main points that should be followed to ensure that you’re GDPR-compliant:

• Privacy by design. A specific set of rules and security protocols should be embedded into your system to begin with, and the inability to make privacy requirements a part of your system is treated as a non-compliance and is dealt with using fines.
• Consent. It must be both easily given and freely taken away if necessary. Meaning that you are not allowed to confuse customers with complex terms and conditions.
• Breach notification. 72 hours is your limit, meaning that you have 72 hours to notify all of the parties that are affected about the breach (includes both customers and data controllers, if you have them). Inability to notify the necessary parties in time is treated as a non-compliance and leads to fines.
• DPO (Data Protection Officer). Data protection officers are needed in some specific cases of GDPR. For example, if your company is big enough, or if your company is dealing with highly sensitive data, and so on.
• Access to data. You must provide customers with the ability to acquire a free detailed copy of their data that you’re processing, including the means or methods of processing that information.
• Data reuse. As a sensible matter, customers should have the rights to their own data. Meaning that they should have the ability to obtain their data from you in some way and then use said data somewhere outside of your company within different environments.
• Option to delete data. Customers should have the ability to request for their data to be deleted as soon as the original purpose of said data has been realized, and you must comply with their demands.

That being said, there are some differences and troubles with GDPR implementation outside of the EU. For example, some forms of privacy laws have already existed in those countries at the point of GDPR’s appearance, and the interaction of these laws is sometimes confusing.

GDPR compliance and Australian privacy laws

Australian privacy laws, for example, are existing in two parts – Australian Privacy Principles and Australian Privacy Act 1988. Both of those are dealing with the correct way to process “personal information”, and it’s really similar to GDPR, but not identical. That being said, since the scope of GDPR has proven itself as incredibly massive, some companies would have to be subjected to at least two sets of privacy laws at once: their local ones (Australian, in our case) and the GDPR.