Understanding and implementing GDPR compliance for your business can be a challenging task. To assist you in this process, we have compiled a comprehensive compliance checklist with actionable steps that can guide you along the way.
Please note that while this list provides valuable guidance, it is essential to consult with compliance experts to ensure your organization is up to date with the latest GDPR compliance standards.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a comprehensive data protection and privacy regulation that was implemented in the European Union (EU) on May 25, 2018. The GDPR replaced the previous data protection directive and introduced new rules and requirements for the protection of personal data of individuals within the EU.
The main objective of the GDPR is to give individuals greater control over their personal data and to harmonize data protection laws across the EU member states. It applies to any organization, regardless of its location, that processes personal data of individuals residing in the EU.
Under the GDPR, organizations that process personal data are required to implement appropriate technical and organizational measures to ensure the security and confidentiality of the data. They must obtain valid consent for processing personal data, notify individuals about data breaches, appoint a Data Protection Officer (DPO) in certain cases. They must also conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities and maintain records of processing activities.
Non-compliance with the GDPR can result in significant fines and penalties. Organizations can be fined up to 4% of their annual global turnover or 20 million euros, whichever is higher, for the most serious violations of the regulation.
The Complete GDPR Compliance Checklist/ GPDR Requirements
✔️ Personal information inventory: Your company has a list of all types of personal information it holds. The source, who you share it with, how long you keep it and what you do are also listed.
This is a list of the actual types of information being held (eg Name, social security nr, address...). For every type of information, there are four things you need to make clear: the source document/record, who the information is shared with, how long it will be stored for, and why it is being stored.
✔️ Data storage and flow: Your company has a list of places where it keeps personal information and the ways data flows between them.
This list can include database software such as Mysql and also offline datastores such as paper-based information.
You should include all relevant information about personal data and explain where it is held. This should include the type of personal data that the company collects or contact information to find out more.
ACCOUNTABILITY & MANAGEMENT
✔️ Appointment of a Data Protection Officer (DPO): Your company has appointed a Data Protection Officer (DPO) to ensure compliance with the GDPR, which came into effect on 25th May 2018.
A Data Protection Officer is required in three cases: (1) the processing is being carried out by a public authority, (2) the processing relates to personal data relating to criminal convictions, and (3) the processing takes place with respect to proceedings carried out in a court of law. (2) the core activities of the business consist of processing operations which, by virtue of their nature and scope, require regular and systematic monitoring of a significant number of data subjects or (3) The core activities of the business consist of processing special categories of data (sensitive data) and personal data relating to criminal convictions or offenses on a large scale in order to fulfill Article 9 and 10. When it comes to GDPR and data protection, the DPO should have knowledge of GDPR guidelines and should also have knowledge about the internal processes that involve personal data.
✔️ Best practice security measures: For business security purposes, always stay up to date with updates and make sure you follow best practice recommendations. Staying secure will help your business thrive by maximizing efficiency and productivity.
Make sure you're doing everything according to best practices and you'll be in a much better position.
✔️ Staff training and guidelines: Make sure all staff know what is expected of them when it comes to data protection, for example by sending out clear guidelines and training.
One common security vulnerability is when an individual sharing an organization's internal systems unknowingly becomes accessible to hackers. Make sure your employees are aware of these risks, as they may unknowingly make the situation worse.
✔️ Regulatory representative: You have a regulatory representative if your business operates outside the EU.
If you've a business operating outside of the EU and collect data on EU citizens, make sure you assign a representative in one of the member states for your business. This person must be assigned to handle any issues relating to processing, as they'll be best equipped to do so.
✔️ When you experience a data breach, let the local authority know and ensure that the people impacted are notified.
Data breaches should be reported within 72 hours in order to meet local authority requirements on the reporting of data breaches. You should report what data has been lost, what the consequences are and what steps you have taken to prevent such a situation from occurring again. If there was an encryption key that allowed someone to read the contents of a file, then you should also report the data breach to the user whose data got out.
✔️ Access to personal information: Your customers can contact your customer service team and request access to their personal information.
✔️ Automated data deletion: You automatically delete data that your business no longer has any use for.
Ideally you should use an automated process to remove data that is no longer needed. A good example of this process would be deleting any customer orders which were not renewed after their contract has ended.
✔️ Your customers can easily request that their data be delivered to themselves or a 3rd party. They can send a written notice to you or the 3rd party that they want their personal data in an electronic format.
✔️ Your customers can object to profiling or automated decision making that could impact them.
If your company does profile or any other automated decision making, this is only applicable to you. If you do not have a process, Datalink Networks has created an easy online flow for this,contact us here for help!
✔️ When processing is based on consent, it must be given freely and willingly, without pressure. It must also be specific, informed (i.e., the person knows what their data will be used for) and revocable (i.e., they can withdraw consent at any time).
It should be written so it's easy to understand, shouldn't hide its intentions and will stay valid. Privacy policies for service providers of children should be easy for their age group to read.
✔️ Giving and withdrawing consent, should be as easy as possible for customers.
If you would like to set up a form for us to follow, please fill out the following information.
✔️ In order to process the personal data of children, you need to verify their age and if applicable, ask consent from their legal guardian.
If a legal guardian has not given their consent for the processing of personal data, then you will need to verify that it was an unreasonable data processing request (prior to granting consent).
✔️ Your company understands when you must conduct a DPIA (Data Protection Impact Assessment) for high-risk processing of sensitive data.
This only applies to organizations that conduct large-scale data processing, profiling and use of other techniques at a high risk to the rights and freedoms of people. Please contact your personal advisor for more information about cases like these.
✔️ Ensure you transfer your data so that it can only be accessed by those who offer an adequate level of protection in-line with the EU's new GDPR Data Protection Law.
✔️ Customers have the right to receive clear information, communication and channels so they can exercise your rights
A data controller shall provide any data subject with the information that is required by Articles 13 and 14. Additionally, any communication under Articles 15-22 and 34 related to processing of your information should be concise, transparent, intelligible, and easily accessible. This means it uses clear language that customers can understand like articles 15-22 and 34. We provide the information in written form, or by other means when appropriate - like phone calls. When customers request it, we can also provide it verbally and back up our identity with another form of ID like your name and address.
✔️ Right to Receive Specific Information When Personal Data Are Collected From You Directly
This information is : 1) The controller and, if different, the controller’s representative is responsible for this website. The contact details can be found next to "Legal Information". 2) You can find the contact details of the data protection officer on our website. 3) The purposes for our processing personal data and the legal grounds underpinning this processing are outlined in the policy. 4) If you are collecting or processing background data under point (f) of Article 6(1), your legitimate interests are conveyed. 5) The types of personal data classified here are the recipient or categories of recipients and other descriptions such as longevity. 6) Where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
✔️ Right to receive specific information when your personal data aren't collected directly from you
This information is : 1) The person or company who administers your personal data is called the controller and they are obliged to give customers information about themselves and their representative. 2) The contact details of the data protection officer can be found. 3) The purposes of the processing are defined along with the legal basis for the processing. 4) Personal data is organized by categories. 5) The recipient of each category is defined and/or of recipients of the personal data are defined.
✔️ Customers have a right of access: whether your personal data is being processed; and if it is, then customers are entitled to access all the details of this processing.
Customers also have to right to access the following information: 1) purpose of processing. 2) categories of personal data collected and processed 3) the recipients who will be receiving the data 4) the time period data will be stored 5) the right to ask the controller to correct, erase or restrict processing of personal data regarding the data subject. The right to object follows and will always be given in writing. 6) Any individual or organization can contact a supervisory authority if they feel they are having their rights infringed. 7) Where information about the personal data is incomplete, it's important to note where the data came from. 8) Article 22(1) and (4) of the GDPR talk about automated decision-making, including profiling. This includes giving meaningful information to the individual about the logic involved and potential consequences, as well as making decisions that can have legal or similarly significant effects on an individual.
✔️ The GDPR prescribes customers the right to so-called "rectification". It means that the controller is obliged to rectify inaccurate personal data without undue delay.
If there are any missing details on your personal data, customers have the right to receive a complete copy. This may include simple finishing touches, such as adding phone numbers and email addresses.
✔️ Customers also have the right to request that controllers, who process your personal data, erase all your personal data without undue delay, unless some of them are required by law to keep it.
A controller will have the obligation to erase your personal data without undue delay when one of these conditions is met: 1) You can request your personal data be deleted by contacting the data management team and they will take care of it within a reasonable time frame. 2) The data subject withdraws their consent on which the processing is based, and this is not cancelled with any other legal ground for processing. 3) The data subject objects to the processing of their personal data, there are no overriding legitimate reasons for them to do this and they are not aware that you're carrying out other lawful processing. 4) Personal data have been unlawfully processed. 5) You MUST remove the personal data for legal reasons. For example, some countries require that under certain conditions, the controller shall take appropriate measures to erase or encrypt personal data. A few examples of when this applies are when a company needs to comply with GDPR rules or similar but sometimes it might be a country law.
✔️ Customers have the right to request that a company stop processing your data and/or remove it entirely.
This right applies in certain circumstances: 1) When customers contest the accuracy of your data, your company must take a look at it and assess it to see if there are any changes needed. 2) It is unlawful to process this data and the subject doesn't want their data removed or used for alternative purposes, so we'll restrict the processing instead. 3) If a person's controller needs their data for one reason but they want it for another, the Data Protection Act says that the controller can never use it for the second reason unless they first stopped processing it for the original one. 4) The data subject objects to the processing of his or her personal data and requests that we verify whether the controller has a legitimate reason to process the data.
✔️ Right to be notified regarding rectification or erasure of your personal data or restriction of processing: The controller shall communicate any rectification or erasure of your personal data or restriction of processing.
This right is carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform customers about those recipients if customers request it.
✔️ Right to portability: Customers have the right to request a copy of your personal data from any company you have given it to, in a machine-readable format. They are also obliged to provide this within any reasonable timeframe provided.
This processing is not based on consent or a contract, so it falls under point (a) of article 6(1) or point (2) of article 9(2). The processing is carried out in automated way and can be done without explicit consent.
✔️ Right to object: Customers have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
The controller shall not process your personal data unless they demonstrate compelling, legitimate grounds overweighing customers interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
✔️ Customers have the right to not be subject to a decision based solely on automated processing, including profiling, that can produce legal effects or significantly impact customers in other ways.
Those exceptions include: 1) is necessary for entering into, or performing, the contract between you and your provider 2) is authorized by Union or Member State law to which the controller is subject and also provides appropriate rights protections. 3) Consent from the data subject is required for any use.
GDPR checklist for data controllers (from GDPR.eu)
To understand the GDPR checklist, it is also useful to know some of the terminology and the basic structure of the law. We recommend you speak with an attorney specialized in GDPR compliance who can apply the law to your specific circumstances.
Lawful Basis and Transparency
Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request. The best way to demonstrate GDPR compliance is using a data protection impact assessment. Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier. In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g., encryption), and when you plan to erase it (if possible).
Conduct an information audit to determine what information you process and who has access to it.
Have a legal justification for your data processing activities.
You must follow the principles of "data protection by design and by default," including implementing "appropriate technical and organizational measures" to protect data. In other words, data protection is something you now have to consider whenever you do anything with other people's personal data. You also need to make sure any processing of personal data adheres to the data protection principles outlined in Article 5.
Technical measures include encryption, and organizational measures are things like limiting the amount of personal data you collect or deleting data you no longer need. The point is that it needs to be something you and your employees are always aware of.
Take data protection into account at all times, from the moment you begin developing a product to each time you process data.
Encrypt, pseudonymize, or anonymize personal data wherever possible.
Create an internal security policy for your team members and build awareness about data protection.
Know when to conduct a data protection impact assessment and have a process in place to carry it out.
Have a process in place to notify the authorities and your data subjects in the event of a data breach.
Accountability and Data Governance
Another part of "data protection by design and by default" is making sure someone in your organization is accountable for GDPR compliance. This person should be empowered to evaluate data protection policies and the implementation of those policies.
Designate someone responsible for ensuring GDPR compliance across your organization.
Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.
If your organization is outside the EU, appoint a representative within one of the EU member states.
Appoint a Data Protection Officer (if necessary)
People have the right to see what personal data you have about them and how you're using it. They also have a right to know how long you plan to store their information and the reason for keeping it that length of time. You have to send them the first copy of this information for free but can charge a reasonable fee for subsequent copies. Make sure you can verify the identity of the person requesting the data. You should be able to comply with such requests within a month.
It's easy for your customers to request and receive all the information you have about them.
It's easy for your customers to correct or update inaccurate or incomplete information.
It's easy for your customers to request to have their personal data deleted.
It's easy for your customers to ask you to stop processing their data.
It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company.
It's easy for your customers to object to you processing their data.
If you make decisions about people based on automated processes, you have a procedure to protect their rights.
Congratulations! You are now GDPR compliant!
Congratulations! If you've dutifully worked to the bottom of the GDPR checklist, then you've significantly limited your exposure to regulatory penalties.
In conclusion, it is important to remember that this is simply a list of things to do and not legal advice. There are dozens of exceptions in GDPR which would be too time consuming and irrelevant here. Check with a lawyer to make sure that your organization is fully GDPR compliant today!