Disclaimer: Reading legal articles on the Internet and applying it to your situation would be silly. What follows isn't legal advice, it's general legal information. If you aren't an attorney, consult one before trying this.

If your job is to implement the GDPR, let me start by saying . . . I'm sorry. I don't know if you pissed off someone powerful, or if you just made poor career choices, but here you are.

If it makes you feel any better, I was in the same spot a year ago. For me, it triggered the five stages of grief: denial (the GDPR isn't really going to be a big deal), anger (the EU is bananas!), bargaining (maybe I can do the bare minimum and that will be fine), depression (I hate my life, everything is sucky and stupid), and, finally, acceptance.

The most frustrating aspect of the GPDR is its complexity. It's 150+ pages of horrendously-written regulations with little helpful, practical commentary on how to apply them them to a particular situation. The best practical advice we get is in the form of the almost equally-inscrutable Article 29 Working Party guidance and generic summaries from law firms (which, to be clear, are still helpful, they just somehow never seems to answer that one question you have).

What makes it additionally gut-wrenching are the horror stories of it costing millions of dollars and requiring the total redo of various business processes. I was in one GDPR-related meeting in which consultants proposed adding an additional 30 compliance hires to a 70-person marketing team.

However, the smaller and simpler your business, the easier your GDPR compliance should be. As Helen Dixon, the head of the Irish Data Protection Commission, recently explained, the GDPR “provides for implementation only of the organizational and technical measures that are appropriate and proportionate to the risks of the personal data processing operations in question and to the scale of the organization.”

So simplicity is the goal here. My hope is that you can use some of the (painful) lessons I've learned in your own work.

The Example Company: Acme’s Zip Code Decoder

Our company: A U.S.-based address processing service. It adds and verifies a zip or postal code for a given personal street address.
Our customer: A France-based home-delivery business.
Account Data:  This is the contact information of the customer (e.g., company name, name and email of company contact, business address, etc.). Some of this is personal data (for more on what qualifies as personal data, see here).
End-User Data: This is the data you’re processing on behalf of your customer. All of this is personal data.

Note: This is the simplest type of business to make GDPR compliant. Because I want to provide implementation-specific details I will leave a B2C company for another day/post.

Here are the steps you’ll take to become GDPR-compliant

1. Get Your Vendors In Order--Sign data processing addenda with your vendors and publish a list of them.
2. Sign up for Privacy Shield--Sign up for the Privacy Shield so that you can lawfully import data.
3. Write a GDPR-Compliant Privacy Policy.
4. Write a GDPR-Compliant Data Processing Addendum.

Another note: CCPA compliance is coming and you'll want to get that in order as well. I plan on writing that soon.

Get Your Vendors in Order

Sign Data Processing Addenda with your Vendors

You need to sign a so-called “data processing addendum” with each of your vendors that process Account Data and End-User Data (because those contain personal data).¹ For example, a typical startup would need DPAs in place with AWS, Google Analytics, Zendesk, etc. This is easy because each of these vendors will have form DPAs you can click through.

It should go without saying that you should keep records of all of these executed DPAs.

Publish the List of Vendors

Once that’s done, you need to publish a list of the third-party processors or, at the very least, the categories of processors you use. This obligation stems from Article 28(2) of the GDPR. Here are some examples of how companies have published lists of their third-party processors: Slack, Stripe, and Atlassian.

Here is an excerpt of Slack's vendor (aka subprocessor) list:

Sign Up For the Privacy Shield

In order for EU companies to lawfully transfer their data to you in the United States, you need to ensure safeguards are in place to protect the data.² The three available safeguards are the Privacy Shield, Model Contract Clauses, and Binding Corporate Rules. Many companies implement two of the three safeguards because they worry that one of them will be taken away by the EU courts. For our MVP approach, one is enough and signing up for Privacy Shield is likely the easiest.

Update your Terms of Service

The U.S. Department of Commerce has helpfully listed the 13 notice requirements you need for your Privacy Policy here.

Some of the requirements are generic ones about what data you collect and what you do with it. Those should already be included in your privacy policy. In addition, there are some Privacy Shield-specific clauses you’ll need to include. I’ve mapped a draft of those clauses with pointers to which requirements they satisfy here (the text is in a footnote below³):

Sign up for JAMS

It’s free and you can register online. You don’t need to use JAMS, but that’s the one I’ve used.

Pay a fee

Go here to pay the fee.

Sign up for Privacy Shield

This is a step-by-step, screen-by-screen guide to signing up for the Privacy Shield once you’ve done all the steps above.

Create a GDPR-compliant Privacy Policy

This part sounds harder than it is. Because you’re, for the most part, a lowly processor of data, as opposed to the controller, you don’t have to say much about your processing of End-User Data. That obligation falls upon your customer. You do, however, need to follow the rules with respect to the Account Data you process.

Broadly speaking, you need to:

• Specify what information you collect and how you process it
• Provide a contact for your EU representative
• Let your customers know how they can exercise their GDPR rights (access, rectification, erasure, restrictions on processing, objection to processing, and portability)

These obligations are outlined in Article 14 of the GDPR and the Privacy Shield’s notice requirements.

Here is a quickly-drafted four-page privacy policy that is illustrative.

Note: This privacy policy specifies the handling of both Account Data (logins) and Customer Data (addresses). Another way to become compliant would be to:

• Have your privacy policy only address Account Data and marketing;
• Include a confidentiality provision in your TOS that specifies how you will handle Customer Data; and
• Draft a Privacy Shield Statement to ensure you have all your Privacy Shield bases covered.

The above is how Segment has handled its compliance and there are benefits to doing it this way. For example, your customers may insist on having confidentiality terms in the TOS and, if so, it would be better to have those terms just in the TOS (as opposed to both the TOS and PP).

Create a Data Processing Addendum that Satisfies the GDPR Requirements

This needn’t be long but it does need to satisfy the Article 28 requirements. Here, for example, is Facebook’s DPA for advertisers. You could use that as a basis for your own, but note that some of the ways Facebook has satisfied its Article 28 obligations, such as by providing a SOC2 report to satisfy its audit requirement, may not be appropriate for you.

If you end up paying a law firm to create on for you, it shouldn't be terribly expensive.

Satisfy the other GDPR Requirements

Do what you said you would do in your Privacy Policy. As my friend Steve, a grown man, would say, "uh-doy."

Create a record of processing. Under Article 30, you need to create "Records of Processing Activities." This means you need to write down your subprocessors, the controllers on whose behalf you're working, the categories of data you're processing, the countries in which the processing is occurring, and a general description of the security measures you've taken. Most of this will already exist in your privacy policy, the main exception is likely the description of security measures (described in Article 32), which you should have documented somewhere. As your business become more complex, you're going to have to fill out a spreadsheet like this one. Remember, though, if you are only processing EU personal data and not selling to EU customers, there won't be many rows.

Assign an EU representative. You have to have one under Article 27 but you can get one for relatively cheap (for example, here).

Decide whether you need to assign a Data Protection Officer. If you don’t have a DPO, document why you don’t. If you’re processing data on a large scale, you probably need one (or at least, that’s what the UK’s ICO thinks).

Don’t process sensitive data or, if you do, call in the professionals. If you’re processing personal health information or particularly sensitive data, you need to take extra care and the above guide isn't enough. Call in the professionals!

Report data breaches to your customers. Under Article 33, you have an obligation to notify your customers if a personal data breach affected them.

Did I Lie to You That It Would Be Easy?

I hope not but, now that I look at it, it looks like a lot.

Additional References

• The Irish DPC has its own checklist.
• The UK Information Commissioner’s Office has a guide to the GDPR.

If you have thoughts/feelings/emotions/questions, please reach out at pcounselblog [at] gmail dot com.

¹ Signing DPAs is required by Article 28(3).

² See U.S. Department of Commerce’s EUROPEAN UNION: TRANSFERRING PERSONAL DATA FROM THE EU TO THE US

³ Here are the Privacy Shield paragraphs:

We transfer, process, and store your personal information in the United States. When transferring information from the European Union, the European Economic Area, and Switzerland, we rely on the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the European Economic Area, and Switzerland to the United States. You can find our Privacy Shield certification here. You can also learn more about Privacy Shield at https://www.privacyshield.gov.

JAMS is the US-based independent organization responsible for reviewing and resolving complaints about our Privacy Shield compliance—free of charge to you. We ask that you first submit any such complaints directly to us via privacy@acme.com.  If you aren’t satisfied with our response, please contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield. In the event your concern still isn’t addressed by JAMS, you may be entitled to a binding arbitration under Privacy Shield and its principles.

The Federal Trade Commission has jurisdiction over our compliance with the Privacy Shield. The Privacy Shield Principles describe our accountability for personal data that it subsequently transfers to a third-party agent. Under those Principles, we shall remain liable if third-party agents process the personal information in a manner inconsistent with the Principles, unless we prove we are not responsible for the event giving rise to the damage.