Guide: How to create a GDPR-compliant customer onboarding process

Data protection and GDPR

Data protection continues to be a hot topic on a global scale, even more so as personal data fraud, such as identity theft and phishing, is becoming increasingly problematic.

As authorities tighten their grip on GDPR breaches, a lot of companies and industries have been under scrutiny lately. IMY (Swedish Authority for Privacy Protection) is the Swedish supervisory authority that works to protect personal data, for example about health and finances, to make sure they are handled correctly and do not fall into the wrong hands. Companies like Spotify, Klarna and Kry are just a few of the companies who have been audited in the last 12 months by IMY, receiving reprimands or sanction fees as a result.

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the EU and the EEA. It also addresses the transfer of personal data outside the EU and EEA areas.

The regulation is considered the toughest privacy and security law in the world and was put into effect on May 25, 2018.

1. Purpose-based data usage

According to the GDPR personal data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Meaning, collecting data to "maybe use it at a later stage" or "maybe using it later on for a different purpose", for example, is highly questionable from a legal perspective. A clearly defined and well-documented purpose of usage is therefore the place to start when dealing with usage of personal data in your process.


2. Bare minimum approach to data collection

According to the principle of data minimization in the GDPR, you should adopt a mindset of only collecting and using as little data as possible. Data minimization is a principle that states that the data collected and processed, should not be held or further used unless this is essential for reasons that were clearly stated in advance. In the GDPR, this is defined as data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

In other words, only collecting the data you require to fulfill the purpose of your data usage, is required from a legal standpoint. Making sure that the purpose is crystal clear, documented and time-bound is crucial. A good place to start, is to ask yourself the following when setting up your process:

  1. What data is required to build my process?
  2. Is it possible to achieve the purpose without data collection?
  3. Does the individual know I am collecting the data and why? (If not, how can I clarify this in my process?)
  4. How am I planning to use this data, and for how long?
  5. What happens to the data when it is no longer required?

Also worth noting, is that this approach to data collection is highly beneficial from the customer's or user's perspective, as the process becomes faster and smoother when you avoid unnecessary steps of data collection. Meaning, better CX while ensuring GDPR compliance.


3. Alternative ways of presenting personal data

IMY has identified and cracked down on processes such as checkout solutions or digital registrations, when built in a way that enables others to use it as a lookup service. For example, using someone else's social security number to obtain the person's address, due to an autofill feature in the process.

In light of this problem, IMY has developed alternative, approved ways of using and presenting personal data in these types of processes which include:

  1. Login through e-identification or with secure password management.
  2. The usage of data in the background, without presenting anything to the user.
  3. Masking personal data so that the information can be confirmed by the user, but doesn’t risk revealing personal data to an unauthorized person.


gdpr personal data masking


Well, what about given consent then?

Consent is considered a legal basis for handling personal data, which also includes sensitive information. However, it is not easy for companies to use sensitive data even if they have obtained consent. The process must very clearly inform the users of what they agree to, otherwise the consent is not considered valid.

In addition, a person should be able to take their consent back just as easily as they gave it. Meaning, as a company you must have functions and systems in place to handle that, leading to more structure, processes and administration being required on your end to support this function.


4. Follow the principles relating to processing of personal data

As GDPR can seem extensive and complex, a good place to start in terms of ensuring compliance, is to follow the principles relating to processing of personal data below:

Article 5 - Principles relating to processing of personal data

Personal data shall be:

(a)  processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b)  collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes/…/ (‘purpose limitation’);

(c)  adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d)  accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods /…/ (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

  1. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Would you like to know more?