The GDPR is an EU regulation that came into effect on 25 May 2018. The directive aims to ensure that organizations have policies and procedures put in place to protect the data of EU citizens. Below is a checklist that is designed to assist organizations in complying with the GDPR.
1. Awareness
All employees, whether they are IT, executives, general administrators, consultants, sales and marketing executives, human resource managers, and of course, compliance officers, must be aware of what the GDPR requirements are, and the potential consequences, should they fail to comply.
2. Analysis of Personal Data
Make a list of all sensitive data you store and process, and ask the following questions:
- Why are you storing the data?
- Where did you get the data from?
- What was the reason for obtaining the data?
- How long will you store the data?
- How secure is the data?
- Is the data encrypted?
- Is the data accessible?
- Will you be sharing the data with third-parties?
- What is the purpose of sharing the data?
3. Communications
Communicate clearly with both service users and staff members. Invest time in developing a clear and intuitive privacy notice which will alert users about why you are collecting the data, and what you plan to do with the data.
4. Review Procedures
Ensure that you have a suitable privacy policy in place. Review the policy to ensure that all user rights are accounted for, including how the data is processed and removed.
5. Ensure Appropriate Access Rights
Make a list about what access rights should be granted, and to whom those access rights relate. Put a plan together detailing how a change in access rights should be handled.
6. Check the Small Print
Make sure that you carefully read and understand the GDPR small print. You will need to use this understanding to be able to identify the legalities associated with the types of data you store and process.
7. Customer Consent
You will need to make sure that your users have given their full consent to process their data, in the way defined by your privacy policy. You will need a clear record that users have consented to the way in which their data is acquired, stored, and processed.
8. Children’s Data
If you are processing information that belongs to children, you must consider whether the child is mature enough to understand, and thus agree with, the terms of your organization’s privacy policy. You will need to verify the subject’s age before processing their information or gather consent from the child’s parents/guardians.
9. Data Breaches
You must implement a procedure for handling data breaches. You must be able to detect, report and investigate any breaches that occur.
10. Impact assessments
Under the GDPR, it is a mandatory requirement for organizations to carry out a data protection impact assessment (DPIA) – a process for determining the potential impact that an assignment may have on data privacy. The process requires the organization to analyze the “origin, nature and severity” of the risk to data subject’s privacy rights.
11. Data Protection Officers (DPO’s)
Under the GDPR, any organization that stores and processes public data, must hire a DPO. The role of the DPO is to implement data protection policies, audit data processing operations, and ensure that all staff members are fully trained to comply with the GDPR, as well as deal with inquiries.
Using Lepide to Become GDPR Compliant
If you want to get more visibility into where your GDPR-related data resides in your data stores, who has access to it, and what is happening to it, you will likely need the help of a third-party Data Security Platform. Explore how the Lepide Data Security Platform can help you achieve and maintain GDPR compliance.