The GDPR is an EU regulation that will come into effect from 25 May 2018. The new directive aims to ensure that organisations have policies and procedures put in place to protect the data of EU citizens. Below is a checklist that is designed to assist organisations in complying with the GDPR.
All employees, whether they are IT staff, executives, general administrators, consultants, sales and marketing executives, human resource managers, and of course, compliance officers, must be aware of what the GDPR requirements are, and the potential consequences, should they fail to comply.
Analysis of Personal Data
Make a list of all sensitive data you store and process, and ask the following questions:
- Why are you storing the data?
- Where did you get the data from?
- What was the reason for obtaining the data?
- How long will you store the data?
- How secure is the data?
- Is the data encrypted?
- Is the data accessible?
- Will you be sharing the data with third-parties?
- What is the purpose of sharing the data?
Communicate clearly with both service users and staff members. Invest time in developing a clear and intuitive privacy notice which will alert users about why you are collecting the data, and what you plan to do with the data.
Make a list about what access rights should be granted, and to who those access rights relate to. Put a plan together detailing how a change in access rights should be handled.
Check the Small Print
Make sure that you carefully read and understand the GDPR small print. You will need to use this understanding to be able to identify the legalities associated with the types of data you store and process.
You must implement a procedure for handling data breaches. You must be able to detect, report and investigate any breaches that occur.
Under the GDPR, it is a mandatory requirement for organisations to carry out a data protection impact assessment (DPIA) – a process for determining the potential impact that an assignment may have on data privacy. The process requires the organisation to analyse the “origin, nature and severity” of the risk to data subject’s privacy rights.
Data Protection Officers (DPO’s)
Under the GDPR, any organisation that stores and processes public data, must hire a DPO. The role of the DPO is to implement data protection policies, audit data processing operations, and ensure that all staff members are fully trained to comply with the GDPR, as well as deal with enquiries.