So, what is GDPR compliance anyway? What does it actually mean? Is it achievable? When can you say you are GDPR compliant and how do you prove it?
(Note: If you are in South Africa, this article applies equally to POPI compliance or POPIA compliance – or being POPIA compliant. And to virtually any other country as well that has a data protection law similar to the GDPR.)
What is GDPR compliance?
For us, GDPR compliance means that your organisation:
- complies with its clear and actionable regulatory obligations under the GDPR, and
- does what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly to its current activities.
The GDPR is both rules and principles-based legislation
Meeting your regulatory obligations
As the controller, joint controller or processor you have certain obligations under the GDPR that you need to meet to achieve GDPR compliance. You could call these rules that you must follow and, in this context, the GDPR is rules-based legislation. For example, some controllers and processors must designate a data protection officer, publish their contact details and communicate them to supervisory authorities (article 37 of the GDPR). They are not always easy to find and identify because they are in different parts of the GDPR. It is however usually possible to go through your obligations under the GDPR and mark them off as done, to do or doing.
Your regulatory obligation might not only be in the GDPR. They might be in other country-specific laws or in codes of conduct, or there might be specific customer requirements.
Let us look at an analogy that we’re all familiar with – driving on a road. In most countries, there are laws that set the rules for driving motor vehicles on roads. In this stretch of road, you can only travel up to 60 mph (or 120 kms per hour). This is an obligation or rule and is quite easy to comply with. You can drive at 60 mph but not 61 mph. It is easy to tell if you are compliant or not. Compliance can be measured, analysed, audited and remedied. The consequence of breaking the rule is clear – a fine of a certain amount. Drivers, police officers and courts know where they stand. There is a line and everyone knows when it has been crossed.
Complying with your regulatory obligations under the GDPR to become GDPR compliant is very similar. In this context, a GDPR compliance checklist works and can be useful for complying with your obligations.
Sometimes, however, it is not so easy. Some obligations are vague and difficult to know exactly what the laws obliges you to do. Some obligations are open to interpretation – they are more like principles than rules. For example:
- When a law says you may only send an email to a person directly marketing to them if you have obtained their details in the context of a sale of a product or a service. For example, can an estate agent email someone trying to sell them a house after they have been to look at another house on one of their show days? What do we do in these circumstances?
- When the GDPR says “the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed” what is it exactly that a controller is obliged to do?
A court needs to set a precedent or an authority needs to issue a guidance note to clarify the situation. These obligations should be treated like principles.
Applying the data protection principles
The GDPR sets out the principles for the lawful processing of personal data and is therefore in this context principle-based legislation. For example, the GDPR says “personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject“. It gives controllers the principles that they must apply to their activities to determine what they can and can’t do with personal data. It is the controller who is accountable and responsible for doing this (no-one else). Controllers must apply the principles now and forever into the future to their existing and future activities. Controllers need to translate what action their specific organisation needs to take to apply the principle.
You can’t have a project to apply the principles to your current activities and then say we’re done – we’re GDPR compliant. You can always be better at applying the principles and it is very hard to ever say we apply all the principles to all our activities all the time. You have to take various actions (like put controls in place, and created a culture and a governance structure) to enable your organisation to apply the principles going forward. A GDPR compliance checklist works here as well.
Let us look at our driving on a road analogy again. In some countries, there are laws that set the principles for driving motor vehicles on roads. In this stretch of road, you can travel as fast as you believe is safe (is reasonable and appropriate) considering the state of your vehicle, the conditions of the road, the weather conditions and the surrounding circumstances.
This is a principle and is much harder to comply with. You, as the driver, must decide how fast to drive. Is it 60 mph or 80 mph an hour? It is hard to tell if you are compliant or not. Compliance can’t always be measured, analysed, audited and remedied. Activities can be mapped, you can apply the principles and make adjustments but there isn’t always time to do this. The consequence of breaking the principle is also less clear. Drivers, police officers and courts often don’t know where they stand. There isn’t a line and not everyone knows when it has been crossed.
Applying the principles under the GDPR is very similar. A GDPR compliance checklist doesn’t really work and is not so useful for applying the principles.
What GDPR compliance is not
GDPR compliance does not mean that you always protect data. It does not mean that you will never have a breach. In this regard, data protection is like personal fitness.
Being GDPR compliant does not mean that you apply all the principles to all our activities all the time. It is likely that you will apply the principles incorrectly. You will sometimes apply the principles incorrectly and therefore process personal data unlawfully. If this happens, you are still GDPR compliant provided you take steps to remedy your application of the principles. For example, generally speaking, you only get fined for failing to comply with an enforcement notice from an authority to change the way you apply the principles – not for applying the principles incorrectly in the first place. We should all be continuously trying to apply the principles to our activities correctly, but we will never do it 100% all the time.
GDPR compliance does not mean that you always apply the principles correctly.
But remember that if you don’t apply the principles at all, you’re not GDPR compliant. You must be trying or taking steps to apply the principles. You must be doing what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly.
And you must be complying with your regulatory obligations that are clear and actionable.
Are there different levels or degrees of GDPR compliance?
Yes, the actions different organisations will take to apply the principles will vary based on a number of factors:
- Their budget.
- The risks to data subjects on their data not being protected.
- The amount and types of personal data your organisation processes.
The question is what is appropriate and reasonable (or reasonably practicable) for your specific organisation. For example, if your organisation is data driven, you need to do a lot more to be GDPR compliant than an organisation that processes very little personal data. GDPR compliance does not mean that you have to do everything under the sun to protect data.
GDPR compliance means different things to different organisations
Is it achievable?
Yes, it is. You need to work out what compliance means for your specific organisation and then work towards it. It will take time and there are no short cuts. Start by:
- identifying your obligations and start complying with them, and
- putting things in place so that everyone in your organisations starts trying to apply the principles.
And remember, if you fail to protect personal data it doesn’t mean you are not GDPR compliant. And if you don’t apply the principles correctly, it doesn’t mean you are not GDPR compliant.
When can you say you are GDPR compliant
It is brave for any organisation to say they are 100% GDPR compliant but now that you know what GDPR compliance means, you might be more inclined to say that you are GDPR compliant. Maybe you can claim it when you believe that your organisation:
- complies with its clear and actionable regulatory obligations under the GDPR, and
- has done what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly.
How do you prove it?
Talk is cheap and it is easy to say your organisation is GDPR compliant. How can you prove it? The only way really is to have an independent third-party audit what you have done for GDPR compliance and certify that you are GPDR compliant. This is why for so many being GDPR certified or obtaining GDPR certification is the ultimate goal. It is possible to certify compliance with the obligations (or a data protection standard) but much harder to certify the application of the principles.