The objective of this article is to provide a GDPR compliance checklist to allow companies to get started on GDPR compliance. It is not a comprehensive guide, but instead is a quick-start guide.
GDPR Compliance Preparation Checklist
The General Data Protection Regulation has been a reality since it was first agreed upon, in 2016. But, according to Spice works, only 2% of IT professionals surveyed within the EU felt that their company was fully prepared for GDPR, just twelve months before the implementation date of 25 May 2018. The same figure applied to professionals within the US, and was only slightly higher, at 5%, for professionals within the UK. This is a worrying statistic, given that compliance is necessary in order for companies to avoid problems with significant fines and other sanctions.
So, what do companies need to do, to ensure that they are compliant with the GDPR? Here is a useful checklist of preparations that need to be completed.
Learn about GDPR
Most people will know something about the GDPR. The basics are that the GDPR replaces the Data Protective Directive. The fact that it’s now a regulation and not a directive means that there should be an improved level of uniformity, throughout the EU, regarding how personal data is managed.
The GDPR also gives individuals greater control over how their data is used. This applies to every person residing within the EU. They have the right of access to data, the right to have data rectified and the right to have data erased, except in certain circumstances. This is why companies across the world are affected by GDPR, and not just those based in Europe. Any company processing the data of people living in the EU must comply with the new regulation.
It’s important that companies ensure that employees are aware of this information, and trained in how the GDPR works, and what it means for the way the company deals with data. This level of awareness and training is required as part of a company’s compliance with the GDPR.
Carry out an audit of data held
Once a company knows what is required to comply with the GDPR, it needs to carry out an audit of the personal data it’s currently holding. It needs to consider areas such as:
- What data is being held?
- Where the data is being held.
- Who is responsible for managing the data?
- What is the data being used for.
- Is it necessary to still be holding the data?
One of the most important things to think about is whether it’s necessary to still be holding data. The GDPR stipulates that data should only be used for the purpose for which it was originally acquired. If this purpose no longer exists, the data should be destroyed, unless there is a legally valid reason for retaining it. It’s also important to note that the less data a company holds, the less the impact of any issues is likely to be.
Companies need to identify any high risk data or activities. Data Protection Impact Assessments (DPIAs) should be used for this purpose. Once it has identified risks, the company needs to mitigate against them. If it seems as though mitigation is not possible, a discussion should be had with the relevant Data Protection Authority (DPA), regarding the keeping and processing of the data. It’s expected that this type of discussion should be the exception to the rule, but if no mitigation is possible, for a high risk situation, a company must have the discussion, in order to comply with the GDPR.
Ensure that policies and procedures are in place
In order to comply with the GDPR, companies need to know:
- What data is being held?
- Where the data is being held.
- Who is responsible for the data?
- That the data is up to date and needs to be kept.
- What security is in place to protect the data?
- That the data can be accessed and provided should a System Access Request (SAR) be received.
Importantly, each company also needs to prove that it has all of this knowledge. This is why it’s important to put processes and procedures in place.
Document all processes
As we mentioned earlier, companies have to be able to prove that they are compliant with the GDPR. This is why it’s important to fully document all processes and procedures. Any company that is found to be non compliant could be faced with a fine, up to a maximum of 20 million Euros, or 4% of annual turnover, whichever is higher. No company can afford for this to happen. Although, it’s likely that the DPA will concentrate on dealing with obviously non-compliant companies initially, it’s important for all companies to have their processes, procedures and documentation in order.
Plan for data breaches
Once GDPR is introduced, it will be mandatory for all data breaches to be reported within seventy two hours. This is why it’s important for every company to have procedures in place for dealing with a data breach. It’s important to expect to keep information to secure, but to have plans in place regarding what to do if the security is breached. Failure to comply with the GDPR, regarding data breaches, could lead to a costly fine. It could also lead to a damaged reputation, which could be even more costly in the long term, due to potential loss of custom and resulting falls in revenue.
Engage the services of a Data Protection Officer (DPO)
When the GDPR becomes a reality, any company or organisation that monitors personal data (including IP addresses) on a large scale must engage the services of a DPO, either internally, or via an external provider. The same applies if companies process large amounts of special category data, such as genetic or criminal information. Public bodies that process personal data must also have a DPO in place.
There is likelihood that there will be a shortage of qualified DPOs available. However, there is no stipulation concerning what qualifications a DPO must hold. They do however; need to be fully conversant in what is covered by the GDPR, and how it affects the business. They also need to be able to create and manage data protection systems and processes. It’s possible for a company to move someone to become a DPO for the company, but they must have the awareness required, and comprehensive training in all aspects of the GDPR.
Monitoring and reporting
Once a company has systems in place that will enable it to comply with the GDPR, it also needs to develop monitoring and performance processes. These processes need to exist for two reasons. Every company needs to be able to check that it’s processes are working, and that it’s fully GDPR compliant, at all times. And, every company needs to be able to prove that it’s compliant, should it be audited by the relevant DPA. Companies can only prove that they are compliant if everything they do, with regards to data management and protection, is documented, and if they can prove that a checking regime is in place.
Why it’s so important to be prepared
As we explained earlier, there will be a variety of fines available, for DPAs to use against companies that are non-compliant with the GDPR. The exact level of fines, aside from the highest possible, has yet to be defined. And, there will be some leeway for DPAs to make decisions on this matter. There will also be some leeway when it comes to imposing other sanctions. What the available sanctions will be is also yet to be defined.
Although DPAs will have some leeway to make decisions, when it comes to imposing sanctions and fines, it’s expected that they will discuss this type of matter with each other. Doing so will help to maintain the level of uniformity that is required, under the GDPR.
The starting point for any company should be awareness of what the GDPR covers. Many global companies do not believe that the GDPR affects them in any way. They may be in for a shock, if they have anything to do with processing the data of people living within the EU. This does not just apply to data which is received directly from the data subject; it can also apply to data received from a third party. Being aware of the GDPR, and what it means for them, is the first step on the way to compliance for any company.
From then it’s a case of auditing current data and practices, and making sure that any data currently held complies with the GDPR. Companies also need to have processes and procedures in place to ensure that ongoing data collection and management complies with what the GDPR stipulates. They also need to monitor, and report on, the management of data, and identify, and mitigate against, risks. Although companies should do everything possible to ensure the security of data, they should also be prepared to report data breaches within 72 hours. All of this needs to be in place by 25 May 2018, in order for companies to avoid potential fines and sanctions, as well as keeping their good reputations intact, so that future revenue does not suffer.