The EU’s General Data Protection Regulation (GDPR) is one of the strictest data protection/privacy laws on the planet, and non-compliant organizations can be fined heavily. This post provides a checklist to help organizations remain compliant and avoid those costly fines and lawsuits.
In this blog, we provide a detailed GDPR compliance checklist that you can use to benchmark your current progress.
What is GDPR Compliance?
GDPR compliance is a regulation passed by the European Union to safeguard the privacy and security of personal data belonging to EU citizens. Companies that handle the personal data of EU citizens must follow certain rules and regulations that are laid out in GDPR compliance when collecting, processing, storing, and disposing of this data.
GDPR Compliance Checklist
Below we have collated a GDPR compliance checklist with some of the most important points that you need to consider if you want to be GDPR compliant:
Raise awareness of the GDPR compliance requirements
All employees, whether they are executives, administrators, human resource managers, and of course, compliance officers, must be aware of what the GDPR compliance requirements are, and the potential consequences, should they fail to comply. Companies will also need to ensure that third-party suppliers are GDPR-compliant and have data processing agreements in place.
Analyze Personal Data
Make a list of all sensitive data you store and process, and ask the following questions:
- Why are you storing the data?
- Where did you get the data from?
- What was the reason for obtaining the data?
- How long will you store the data?
- How secure is the data?
- Is the data encrypted?
- Is the data accessible?
- Will you be sharing the data with third parties?
- What is the purpose of sharing the data?
Maintain a Record of Data Processing Activities
Creating records of the inflows and outflows of every piece of data will help you align with the accountability principle of GDPR compliance. Compile the information in a coherent document and ensure that it is accurate and up-to-date. In this document, you will need a record of the departments in your company, the type of personal data recorded in each department, and a list of how each department processes personal data and who is responsible for it.
Evaluate Existing Privacy Policies
- How personal data is collected.
- The lawful basis for collecting personal data.
- The intended use of personal data.
- How long personal data will be held?
- Information about how to file complaints with the ICO regarding data handling.
Familiarize Yourself with Individual Rights
Under the GDPR, individuals have enhanced rights, which include;
- The Right to be Informed: Individuals have the right to know how their personal data is being processed and for what purpose. This includes situations where data is being transferred to a third party.
- The Right of Access: Individuals have the right to know what personal data has been collected about them, how it was gathered, why it’s being processed, and how long it will be retained.
- The Right of Rectification: Individuals have the right to request that any inaccurate or incomplete personal data be corrected.
- The Right to Erasure: Individuals can ask for their personal information to be deleted.
- The Right to Restrict Processing: In certain situations, individuals can request that their personal data be processed in a different way.
- The Right to Data Portability: If an individual requests their personal data, it must be provided to them free of charge and in an easily accessible format.
- The Right to Object: Individuals can object to the processing of their personal data. This objection must be honored unless there is a legal basis for processing that data.
To respect these rights, companies must;
- Review their data privacy/protection procedures.
- Be able to provide copies of personal data in a common format and free of charge.
- Determine how the company would react if a person asks for data deletion.
- Make sure systems allow for locating and deleting data.
- Determine who will make data-related decisions.
Review and Update Submission Request Procedures
You will need to review and update your procedures for handling subject access requests (SAR), which will involve the following;
- Develop a plan for complying with new SAR rules, including no fees and a one-month response time.
- Consider your ability to handle a large volume of SARs.
- Take practical steps such as creating GDPR-compliant response letters and updating policies and procedures.
- Establish technical procedures for processing data and correcting inaccuracies.
- Identify and document the legitimate basis for processing data.
- Update your privacy notice to reflect changes on a lawful basis.
- Recognize that the rights of individuals may depend on a lawful basis.
Revamp Existing Consent
Companies should update their cookie consent banners with plain and easy-to-understand text and should include an opt-out button. Customized user consent can be created with automated cookie software. Review any other methods for obtaining consent and seek fresh consent if they are not GDPR-compliant.
Safeguard children’s data
GDPR offers extra protection for vulnerable data subjects, especially children in the context of commercial internet services. Companies offering online services to children need verifiable consent from a parent or guardian. Consent needs to be communicated in child-friendly language and children under 16 (13 in the UK) need consent from someone with parental responsibility.
Identify, Report, and Investigate Data Breaches
Establish procedures for detecting, reporting, and investigating personal data breaches. Companies must report certain types of data breaches to the ICO and sometimes individuals. The supervisory authority must be notified within 72 hours, and individuals may need to be informed without delay if there is a high risk to their rights and freedoms.
Adopt a Privacy-Oriented Mindset
Companies should adhere to the “privacy by design” principle, and conduct Data Protection Impact Assessments (DIPA) in high-risk situations, which include;
- Using pseudonymization or anonymization to obfuscate data.
- Deleting data that is no longer used or needed.
- Ensuring data centers are located in high-security areas.
- Implementing IT measures like multi-factor authentication and TLS/SSL certificates.
- Encrypting passwords and securing employee devices.
- Conduct regular vulnerability scans on devices, systems, and networks.
Appoint a Data Protection Officer (DPO)
Under the GDPR companies are required to designate a Data Protection Officer (DPO) if their “core activities involve the processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals”. See Article 29 for more information.
Choose Your Leading Regulatory Authority
Companies operating in multiple EU member states should select and document a lead data protection supervisory authority. This can be determined by mapping where a company makes its most significant decisions about its data processing activities. As above, you can refer to Article 29 for more information about choosing a lead authority.
Whilst there are many other things that we could potentially add to this GDPR compliance checklist, we believe that the above points are the most important and relevant ones for you to start with. Now let’s take a look at how you can simplify the GDPR compliance process.
How Lepide Helps Achieve GDPR Compliance
The Lepide Data Security Platform will enable you to identify and safeguard sensitive data belonging to EU citizens. The built-in data classification feature will scan your file repositories (both local and remote) and automatically discover GDPR-related data and classify it accordingly. Anytime personal data belonging to EU citizens is accessed or used in an atypical manner, a real-time alert will be sent to your administrator’s inbox or mobile device. The Lepide platforms also come with numerous pre-defined GDPR compliance reports that can be generated and sent to the supervisory authorities at a moment’s notice.
GDPR Compliance FAQs
Do I Need to Comply with GDPR?
Organizations that collect or process the personal information of EU citizens or residents must comply with GDPR.
What are the 7 Principles of GDPR?
The seven principles outlined in Article 5.1-2 of the GDPR are: Lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality; and Accountability.
What are the Penalties for GDPR Non-Compliance?
Non-compliance with GDPR can result in fines of up to 10 million euros or 2% of the company’s global annual revenue (whichever is higher) for less severe violations, and up to 20 million euros, or 4% of the company’s global annual revenue (whichever is higher) for violating core principles.
What is a Data Protection Officer?
A data protection officer is responsible for overseeing an organization’s data protection strategy and acting as the main point of contact for supervisory authorities and data subjects.
What is the Difference Between a Data Controller and a Data Processor?
Data controllers are individuals who decide how and why personal data will be processed. Data processors are third parties that process personal data on behalf of a data controller, such as cloud service providers or email service providers.
What are the Different Categories of Personal Data?
Sensitive personal data that require greater levels of protection includes racial or ethnic data, political affiliation or opinions, religious beliefs, trade union memberships, biometric data, health data, sexual orientation or activity, and genetic data.
If you’d like to see how the Lepide Data Security Platform can help you effortlessly satisfy GDPR compliance audits and steer clear of costly fines, schedule a demo with one of our engineers or start your free trial today.