Avoid Trouble with a GDPR Compliance Checklist
It’s been over a year since the European Union (EU) implemented its General Data Protection Regulation (GDPR). What is GDPR? It’s an extra-territorial law that applies even to companies outside of the EU itself that is concerned with protecting the data of EU citizens—who are referred to as “data subjects” by the rule. Already, companies have been hit with massive fines for GDPR compliance breaches—such as the £183 million fine that was proposed for British Airways (about $221.2 million US).
This new personal data privacy regulation puts increased pressure on companies to protect their customers’ personal data. To help you avoid potential trouble, here’s a quick GDPR compliance checklist:
GDPR Compliance Checklist #1: Does My Company Handle the Personal Data of ANY EU Citizens?
One of the primary concerns of GDPR compliance is the protection of EU citizens’ data privacy. If your company handles the data of EU citizens, then it needs to follow the rules of GDPR. So, it’s important to audit the data you’re storing to see if any of it belongs to EU citizens, and to check your market to see if it is likely that you may process EU citizens’ personal data in the future.
GDPR Compliance Checklist #2: Are My Vendors GDPR Compliant?
If your vendors collect data on your clients/customers/prospects on your behalf, it doesn’t matter if your internal processes strictly adhere to GDPR compliance requirements if theirs fall short. As the GDPR Article 28’s rules state:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation.”
So, one important checklist item is to inspect your vendors’ data privacy and protection measures (as well as their data collection policies) to verify that they meet GDPR compliance standards.
GDPR Compliance Checklist #3: Am I Notifying Customers/Prospects of WHY I’m Collecting Data?
Under GDPR compliance requirements, companies have to notify “data subjects” of both when and why they’re collecting personal data. Such explanations need to be clear and in support of some logical business use—otherwise, the storage of that data may violate the data subject’s rights as outlined in the EU’s General Data Protection Regulation.
GDPR Compliance Checklist #4: Am I Disseminating Personal Data to Any Third Parties?
GDPR regulations are very strict when it comes to the transmission of personal data to a third party. Basically, it’s not allowed (except in specific circumstances, such as investigations by regulatory bodies, or when necessary to complete contractual obligations), especially not without the prior knowledge and consent of the data subject.
The text of Article 44 of the rule reads:
“Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organization.”
So, when auditing your own GDPR compliance, it’s important to verify what, if any, data is being shared from your own organization to any outside organizations—and whether that information really needs to be shared at all.
GDPR Compliance Checklist #5: Do I Have Controls in Place to Let People Know What Data I’m Storing?
One of the biggest rights that data subjects have in GDPR is the right to transparency. They should not only be informed when you’re collecting data, but also what data you have about them. This helps enable their right to object to specific data being stored and their right to “be forgotten” (i.e. to request that you delete all personal data you’re storing about them).
Because of this, it’s important to have controls in place to track what data you’ve collected about data subjects and to be able to share that information with them if they ask. This may involve an in-depth rework of your communication tools and processes so you can efficiently handle personal data verification and deletion requests.
GDPR Compliance Checklist #6: Have I Audited My Data Security Measures Recently?
In addition to not actively sharing personal data with other organizations, it’s important to ensure that third parties cannot illicitly access that data, either. Data privacy relies heavily on strong network security. However, many cybersecurity architectures are full of unknown exploits and vulnerabilities.
Conducting routine cybersecurity audits—and then making changes to eliminate any weaknesses identified during these audits—is a crucial step for ensuring data privacy and meeting GDPR compliance requirements.
GDPR Compliance Checklist #7: Do I Have Someone Who is Accountable for Managing GDPR Compliance?
Is there someone in your organization who is ultimately responsible for knowing the requirements of GDPR and ensuring regulatory compliance? If not, you may want to either create a GDPR compliance officer role in your organization (complete with the authority to make necessary changes) or assign responsibility for regulatory compliance to an existing high-level person in the company who has the time, expertise, and tools to do the job.
GDPR Compliance Checklist #8: Do I Have an Incident Response Plan in Case of a Data Breach?
Even with the best security and strictest regulatory compliance tools in place, there’s always the risk that an attacker will be skilled, persistent, or just plain lucky enough to breach your security. To help protect the data privacy of your customers (and meet GDPR compliance requirements), it’s important to have an incident response plan (IRP) in place.
This IRP should contain the initial threat and have provisions for communicating the breach to anyone who may have been affected by it. Failing to notify a data subject that their personal data may have been compromised is a breach of GDPR compliance requirements.
These are just a few of the most basic GDPR compliance checklist items that your organization should be watchful for. Need help verifying or improving your GDPR compliance? Reach out to the Compuquip team to get started.