2 January 2020

What should a company do to be privacy compliant?

What should a company do to be privacy compliant?


The General Data Protection Regulation (GDPR) creates requirements for how companies handle people’s data.

The following is a (non-exhaustive) checklist of key requirements companies must meet in order to be privacy compliant under the GDPR.

Conduct a Data Protection Impact Assessment (DPIA)

Companies that have at least 250 employees, or conduct high-risk data processing, are required to keep a substantive record of the processing activities and d be prepared to show that list to regulators upon request (Article 30). The best way to demonstrate GDPR compliance is by using a data protection impact assessment (DPIA). In addition, the processing of particular data types will always require a data protection impact assessment prior to the processing being performed (See Article 35).

Provide a legal justification for data processing

Under the GDPR, the processing of data cannot be carried out unless it is done for the purpose of one of the six categories listed in Article 6. There are other provisions concerning children and special categories of personal data in Articles 7-11.

If the category that is being relied on is that the data subject gave their consent, be aware that consent should be given as a clear affirmative act. This could include ticking a box when visiting a website or other conduct which indicates consent. Silence, pre-ticked boxes or inactivity will not constitute consent (Recital 32). Also be aware that the subject of the data has the right to withdraw their consent at any time (Article 7).

Have a clear privacy policy

Companies need to tell people that they are collecting their data and why (Article 12). Companies should explain transparently, using clear and plain language, how the data is processed, who has access to it, and how they’re keeping the data safe. This information should be included in a privacy policy.

Always take data protection into account

Processing personal data must always be done in line with the overarching principles outlined in Article 5. This includes the need for data to be processed: lawfully, fairly and transparently, collected for specified explicit purposes, accurate, and in a way that ensures appropriate security.

Anytime that anything is done with people’s data, companies must implement appropriate technical and organisational measures’ to protect it’ (Article 25/Recital 78). Technical measures include encryption, and organizational measures are things like limiting the amount of personal data that is collected or deleting data that is no longer needed.

Notify the supervisory authority when there is a breach

If there is a data breach and personal data is exposed, companies are required to notify the supervisory authority in their jurisdiction within 72 hours (Article 33 GDPR).

Getting a Data Protection Officer (if necessary)

There are certain circumstances where companies must appoint a Data protection officer (DPO) (Article 38). This applies where:

  • You are a public authority or body (except for courts acting in their judicial capacity); or
  • Your core activities require regular and systematic monitoring of individuals on a large scale (for example, online behaviour tracking); or
  • Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

    The DPO should be an expert on data protection whose job is to monitor GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators.

People’s rights to access and object to certain data

People have the right to see what personal data companies have about them and the purpose of the data. (Article 15). They also have a right to know how long companies plan to store their information and the reason for keeping it that length of time. Companies have to send the first copy of this information for free but can charge a reasonable fee for subsequent copies. Companies should take all reasonable measures to identify the person requesting the information (Recital 64).

People have the righty to have their data transmitted, in a readily accessible format, to a third party (Article 20). People generally also have rights that allow them to request the deletion of data the company holds over them, although there are certain reasons that allow companies to deny these requests. For more information on these reasons, see Article 17

If a company is processing an individuals data for the purposes of direct marketing, they must stop processing it immediately for that purpose if the individual objects to it (Article 21).