GDPR compliance guide for online businesses outside of the European Union (Part 5 of 5)
A simple approach to make the most of your GDPR compliance tasks and improve your business in the process.
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that applies to all organizations within the EU as well as those that offer goods and services to or monitor the behavior of EU residents. We conclude our five-part series with this article covering how you can make the best of your GDPR compliance checklists to improve your online business. If any questions remain, you can write to me or schedule time to discuss your specific situation in more detail.
This article is Part 5 of 5 in our series to provide a comprehensive guide for online businesses outside of the European Union to comply with the GDPR.
In this final part of our series, we will go through a simple approach to check the boxes on your GDPR tasks while using this compliance exercise as an opportunity to evaluate your data processes and where they fit within your business.
There are reasons why companies incorporate where they do, choose one type of legal entity over another, and obtain various licenses and certifications. You may overlook these fundamental decisions you've made about your business because you considered them to be table stakes at the time to get started. It's no different when it comes to GDPR and other privacy regulations.
Data protection is now table stakes, especially for online businesses, because all of your business processes are essentially data processes. Advances in technology have made it easier to collect and process personal data. The fact that most processing now happens behind the scenes may mislead you into thinking you're not responsible for what is done with this data. Whether it's your CRM, mailing list, or a custom application, you are responsible for how individuals' data are handled by your processors, and you should plan these processes accordingly to serve your business needs with as little compliance overhead as possible.
In the next three sections, we will go through steps you should take starting with the simplest, most explicit, and customer-facing of your obligations to work up to the more complex tasks, which will demand more time and effort from you.
Appoint your EU representative
For online businesses outside of the EU that are required to appoint an EU representative per the GDPR, securing your representative should be one of the first steps in your compliance plan. Why? It's a very explicit requirement, and it's very easy for regulators and customers to detect whether or not you're compliant.
Additional details of this requirement are covered in part two of this series, and we offer an instant solution to appoint your EU representative to get you started.
For these reasons, we used the guidance provided by regulators in the EU to create a template that is specific to businesses outside of the EU, which you can freely use to adapt to your business.
Implement data protection principles
Article 30 of the GDPR requires you to document your processing activities and share a copy of this document with your EU representative. We covered the details of this requirement and templates you can use to satisfy this requirement in part three of this series.
The benefit of going through an exercise to document your records of processing activities (ROPA) is that you will end up evaluating each process and processor that handles your customers' personal data. If, after creating your ROPA based on our previous article, you will know what you need to do to address any gaps in your compliance with the GDPR. In some instances, the way to resolve your discrepancies may require you to change a particular tool or process so you can demonstrate compliance when requested. The ROPA is a document that needs to be made available to regulators upon request, and it's prudent to handle any gaps you have before that time comes.
Once complete, you should also establish a practice of updating your ROPA every time you add a new data process. It will save you time to get a process right the first time, and you will have the added benefit of having an up-to-date ROPA at all times. If a processing activity is going to be challenging for your GDPR compliance, you will be able to eliminate the potential of establishing that process before becoming too reliant on it. At this point, you should also update the copy of the ROPA that is shared with your EU representative.
Your compliance with the GDPR doesn't have to be complicated. There are a lot of steps to take into account, and undoubtedly, it's particularly burdensome for smaller businesses to dedicate the time needed to achieve compliance. With the top-down approach outlined in this article, you can take the necessary steps and stay on top of your processing activities as your business evolves.
While I've written this article to be as helpful as possible, it cannot and does not contain legal advice. The legal information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.
If you require legal assistance, I am happy to refer you to an attorney specializing in privacy laws and regulations. You can write to me or schedule time to discuss your specific situation in more detail.