So, what is GDPR compliance anyway? What does it actually mean? Is it achievable? When can you say you are GDPR compliant and how do you prove it?
(Note: If you are in South Africa, this article applies equally to POPI compliance or POPIA compliance – or being POPIA compliant. And to virtually any other country as well that has a data protection law similar to the GDPR.)
What is GDPR compliance?
For us, GDPR compliance means that your organisation:
- complies with its clear and actionable regulatory obligations under the GDPR, and
- does what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly to its current activities.
Let us unpack what it means to be GDPR compliant in more detail because there is an important distinction between:
- obligations or rules (that you either do or don’t comply with), and
- principles (that dictate that your particular circumstance needs to be taken into account in determining compliance).
The GDPR is both rules and principles-based legislation
Meeting your regulatory obligations
As the controller, joint controller or processor you have certain obligations under the GDPR that you need to meet to achieve GDPR compliance. You could call these rules that you must follow and, in this context, the GDPR is rules-based legislation. For example, some controllers and processors must designate a data protection officer, publish their contact details and communicate them to supervisory authorities (article 37 of the GDPR). Your obligations are not always easy to find and identify because they are in different parts of the GDPR. It is however usually possible to go through your obligations under the GDPR and mark them off as done, to do or doing.
Your regulatory obligation might not only be in the GDPR. They might be in other country-specific laws, other sector laws or codes of conduct. Or there might be specific business requirements that dictate steps that you should take to protect data subjects. For instance, controllers may contract with processors, to at a minimum apply certain security safeguards.
Let us look at an analogy that we’re all familiar with – driving on a road. In most countries, there are laws that set the rules for driving motor vehicles on roads. In this stretch of road, you can only travel up to 120kms per hour. This is an obligation or rule and is quite easy to comply with. You may only lawfully drive at 120 and you exceed the speed limit if you drive at 121kms per hour. It is easy to tell if you are compliant or not. Compliance can be measured, analysed, audited and remedied. The consequence of breaking the rule is clear – a fine of a certain amount. Drivers, police officers and courts know where they stand. There is a line and everyone knows when it has been crossed.
Complying with your regulatory obligations under the GDPR to become GDPR compliant is very similar. In this context, a GDPR compliance checklist works and can be useful for complying with your obligations.
Sometimes, however, it is not so easy. Some obligations are vague and difficult to know exactly what the law obliges you to do. Some obligations are open to interpretation – they are more like principles than rules. For example:
- When a law says you may only send an email to a person directly marketing to them if you have obtained their details in the context of a sale of a product or a service. For example, can an estate agent email someone trying to sell them a house after they have been to look at another house on one of their show days? What do we do in these circumstances?
- When the GDPR says “the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed” what is it exactly that a controller is obliged to do?
In these circumstances, a person should do what a reasonable person would do in the circumstances. Guidance on what is reasonable can sometimes be found in the control measures recommended in generally accepted information security standards (and other standards). But they still remain guidelines because it is impossible to legislate for all circumstances that may occur in the indeterminably wide field of processing information. Sometimes a court needs to set a precedent or an authority needs to issue a guidance note to clarify the situation. You should treat these kinds of obligations like principles.
Applying the data protection principles
The GDPR sets out the principles for the lawful processing of personal data and is therefore in this context principle-based legislation. For example, the GDPR says “personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject“. Fairness is a very vague concept. It gives controllers the principles that they must apply to their activities to determine what they can and can’t do with personal data. Whilst the processor must also comply with the principles, it is the controller who is accountable and responsible for doing this. Controllers must apply the principles now and forever into the future to their existing and future activities. Controllers need to translate what action their specific organisation needs to take to apply the principle.
You can’t have a project to apply the principles to your current activities and then say we’re done – we’re GDPR compliant. “Compliance” is a continuous and ongoing activity and not a project. The implementation may be a project but the continued compliance with the rules and principles is an everyday business requirement. You can always be better at applying the principles and it is very hard to ever say we apply all the principles to all our activities all the time. You have to take various actions (like put controls in place, and create a culture and a governance structure to enable your organisation to apply the principles going forward. A GDPR compliance checklist works here as well.
Let us look at our driving on a road analogy again. In some countries, there are laws that set the principles for driving motor vehicles on roads. On a particular stretch of road, you are allowed to travel as fast as you like. In deciding what speed you travel you must consider your and other road users safety (what is reasonable and appropriate) and consider the state of your vehicle, the conditions of the road, the weather conditions and the surrounding circumstances.
This is a principle and is much harder to comply with. You, as the driver, must decide how fast to drive. Is it 80 or 120kms per hour? It is hard to tell if you are compliant or not. Compliance can’t always be measured, analysed, audited and remedied solely by reference to your speed. This is not dissimilar to rules that govern reckless driving. It may be perfectly safe to drive at 120kms per hour as you pass a school in the evening when there are no school children around, but this may be reckless at a time that school has broken up for the day and children are leaving the school and crossing the road that you are travelling on. Activities can be mapped, you can apply the principles and make adjustments but there isn’t always time to do this. The consequence of breaking the principle is also less clear. Drivers, police officers and courts often don’t know where they stand. There isn’t a line and not everyone knows when it has been crossed.
Applying the principles under the GDPR is very similar. A GDPR compliance checklist doesn’t really work and is not so useful for applying the principles.
Having the correct organisational structure is key
What GDPR compliance is not
GDPR compliance does not mean that you always protect data. It does not mean that you will never have a breach. In this regard, data protection is like personal fitness.
Being GDPR compliant does not mean that you apply all the principles to all our activities all the time. It is likely that you will apply the principles incorrectly. You will sometimes apply the principles incorrectly and therefore process personal data unlawfully. If this happens, you are still GDPR compliant provided you take steps to remedy your application of the principles. For example, generally speaking, you only get fined for failing to comply with an enforcement notice from an authority to change the way you apply the principles – not for applying the principles incorrectly in the first place. We should all be continuously trying to apply the principles to our activities correctly, but we will never do it 100% all the time.
GDPR compliance does not mean that you always apply the principles correctly.
But remember that if you don’t apply the principles at all, you’re not GDPR compliant. You must be trying or taking steps to apply the principles. You must be doing what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly.
And you must be complying with your regulatory obligations that are clear and actionable.
Are there different levels or degrees of GDPR compliance?
Yes, the actions different organisations will take to apply the principles will vary based on a number of factors:
- Their budget.
- The risks to data subjects on their data not being protected.
- The amount and types of personal data your organisation processes.
The question is what is appropriate and reasonable (or reasonably practicable) for your specific organisation. For example, if your organisation is data driven, you need to do a lot more to be GDPR compliant than an organisation that processes very little personal data. GDPR compliance does not mean that you have to do everything under the sun to protect data.
GDPR compliance means different things to different organisations
Is it achievable?
Yes, it is. You need to work out what compliance means for your specific organisation and then work towards it. It will take time and there are no short cuts. Start by:
- identifying your obligations and start complying with them, and
- putting things in place so that everyone in your organisations starts trying to apply the principles.
And remember, if you fail to protect personal data it doesn’t mean you are not GDPR compliant. And if you don’t apply the principles correctly, it doesn’t mean you are not GDPR compliant.
When can you say you are GDPR compliant
It is brave for any organisation to say they are 100% GDPR compliant but now that you know what GDPR compliance means, you might be more inclined to say that you are GDPR compliant. Maybe you can claim it when you believe that your organisation:
- complies with its clear and actionable regulatory obligations under the GDPR, and
- has done what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly.
How do you prove it?
Talk is cheap and it is easy to say your organisation is GDPR compliant. How can you prove it? The only way really is to have an independent third-party audit what you have done for GDPR compliance and certify that you are GPDR compliant. This is why for so many being GDPR certified or obtaining GDPR certification is the ultimate goal. It is possible to certify compliance with the obligations (or a data protection standard) but much harder to certify the application of the principles. However, circumstances change and part of the compliance must be the organisational structure to monitor and ensure that these changes do not render the certification invalid.