The objective of this article is to provide a GDPR compliance checklist to allow companies to get started on GDPR compliance. It is not intended to be a comprehensive guide, rather a quick-start guide.
GDPR Compliance Preparation Checklist
The General Data Protection Regulation has been a reality since it was first agreed upon, in 2016. But, according to Spice works, only 2% of IT professionals surveyed within the European Union (EU) felt that their company was fully prepared for GDPR, just twelve months before the implementation date of 25 May 2018. The same figure applied to professionals within the US, and was only slightly higher, at 5%, for professionals within the UK. This is a worrying statistic, given that compliance is necessary for companies to avoid problems with significant fines and other sanctions.
So, what do companies need to do, to ensure that they are compliant with the GDPR? Here is a useful checklist of preparations that need to be completed.
Learn about GDPR
Most people will know something about the GDPR. The basics are that the GDPR replaces the existing Data Protective Directive. The fact that it’s now a regulation and not a directive means that there should be an improved level of uniformity, throughout the EU, regarding how personal data is processed. Article 5 of the GDPR is a good starting point to learn about GDPR as it sets out the principles regarding the processing of personal data, many of these principles also existed under the Directive.
The GDPR also gives individuals greater control over the processing of their personal data. This applies to every person residing within the EU. They have the right of access to data, the right to have data rectified and the right to have data erased, except in certain circumstances. Articles 12-23 of the GDPR cover the full description of the rights of individuals based in the EU or “data subjects” as the GDPR describes them. Therefore, companies across the world may have to comply with GDPR, and not just those based in Europe. Any company either based in the EU or processing the data of data subjects based in the EU must comply with the new regulation, this also applies to companies profiling or attempting to sell to data subjects based in the EU from outside the EU.
It’s important that companies ensure that employees are aware of this information, and trained in how the GDPR works, and what it means for the way the company deals with personal data. This level of awareness and training is required as part of a company’s compliance with the GDPR.
Some Essential GDPR Definitions
A “Controller” under GDPR is the organisation or company which determines the purposes of the processing of personal data where a “processor” carries out the processing of the personal data on behalf of the “Controller”. A “processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.
The GDPR does not refer to data subjects or clients the language that is used most consistently throughout the GDPR is “natural person” or “data subject” and ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). For the purpose of this article data subjects or end clients or customers will be referred to as “data subjects”
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Article 4 of GDPR contains a full list of definitions.
Carry out an audit of data held
Once a company knows what is required to comply with the GDPR, a key starting point would be to carry out an audit of the personal data it’s currently processing and document it in line with Article 30 of GDPR. The company or organisation needs to consider areas such as:
- What personal data is being processed? What categories of personal data are being processed? Is there any special category data which requires extra safeguards?
- What is the legal basis for processing the personal data?
- Where the personal data is being processed and whether it is sent outside the EU for processing?
- Where the personal data is processed outside the EU, an appropriate transfer mechanism is required.
- Who is responsible for processing the personal data? Are contracts in place with data processors?
- What is the personal data being used for? is it shared with external parties?
- Is it necessary to still be retaining the personal data? For how long?
One of the most important things above to consider is whether it’s necessary to still be retaining the personal data. The GDPR stipulates that data should only be used for the purpose for which it was originally obtained. If this purpose no longer exists, the data should be destroyed or returned to the data subject, unless there is a legally valid obligation for retaining it. It’s also important to note that the less personal data a company holds, the less the impact of any data security issue is likely to be. The company should have a retention policy which sets out how long each type of data is retained and then adhere to that policy.
Companies need to identify any high-risk data processing that may pose risks to the rights and freedoms of data subjects. Data Protection Impact Assessments (DPIAs) should be used for this purpose where applicable. Once it has identified risks, the company needs to mitigate against them. If it seems as though mitigation is not possible, a discussion should be had with the relevant Data Protection Authority (DPA), regarding the processing of the personal data. It’s expected that this type of discussion should be the exception to the rule, but if no mitigation is possible, for a high-risk situation, a company must have the discussion, in order to comply with the GDPR. The European Data protection board has issued guidelines on when DPIA’s are necessary.
Ensure that policies and procedures are in place
In order to comply with the GDPR, companies need to have policies and procedures in place and these need to be documented. Key policies and procedures are;
- A Data Protection Policy which sets out how the company or organisation processes personal data
- An Employee notice which sets out how the company or organisation processes personal data of employees.
- A data breach policy which sets out how the company or organisation manages a data breach.
- A data retention policy which details how long the company or organisation will retain different types of personal data.
- A Training guide for staff around data protection best practices
- Technical and Organisational measures to keep personal data safe and secure must be detailed.
- A policy and procedure related to data subject rights and how to respond to them.
- A contracts workstream where the company or organisation is a Data Controller and is required to sign contracts with its data processors.
- A data inventory as detailed in Article 30 of GDPR.
Accountability is a key component of the GDPR, and companies and organisations need to be able to demonstrate compliance hence the data inventory as detailed in Article 30 of GDPR.
Plan for data breaches
Once GDPR is introduced, it will be mandatory for all data breaches, that may impact the rights and freedoms of data subjects, to be reported within seventy-two hours of becoming aware of the breach. Therefore, it’s important for every company to have procedures in place for dealing with a data breach. The GDPR is not detailed or prescriptive on the exact technical measures a company or organisation should have in place, but states as a core principle appropriate technical and organisational measures must be in place to prevent any unlawful processing, accidental loss or data destruction or damage. It’s therefore mandatory to keep information secure, but also to have plans in place regarding what to do if the security is breached. Failure to comply with the GDPR, regarding data breaches, may lead to a costly fine. It could also lead to a damaged reputation, which could be even more costly in the long term, due to potential loss of custom and resulting falls in revenue.
Engage the services of a Data Protection Officer (DPO)
When the GDPR becomes a reality, any company or organisation that controls or processes personal data on a large scale must consider engaging the services of a DPO, either internally, or via an external provider. The same also applies if companies process large amounts of special category data, such as race, political or religious affiliation, trade union membership, sexual preferences, health information, and genetic or biometric personal data. Public bodies that process personal data must also have a DPO in place.
There is likelihood that there will be a shortage of qualified DPOs available. However, there is no stipulation concerning what qualifications a DPO must hold. They do however; need to be fully versed in what is covered by the GDPR, and how it affects the business. They also need to be able to create and manage data protection systems and processes. It’s possible for a company to move someone internally to become a DPO for the company, but they must have the awareness required, and comprehensive training in all aspects of the GDPR and no conflict of interest if holding another role within the company or organisation.
Monitoring and reporting
Once a company has systems in place that will enable it to comply with the GDPR, it also needs to develop monitoring and performance processes. These processes need to exist for two reasons. Every company needs to be able to check that its processes are working, and that it’s fully GDPR compliant, at all times. And, every company needs to be able to prove that it’s compliant, should it be audited by the relevant Data Protection Commission. Companies can only prove that they are compliant if everything they do, with regards to data management and protection, is documented, and if they can prove that a system of controls is in place.
- Ensure that contracts with data processing providers reflect the respective GDPR responsibilities.
- Audit any personal data that the company processes to ensure that it’s accurate, up to date and that the company still has a legal basis to retain it. Complete a data inventory and ensure that your data inventory is compliant with the GDPR Article 30 requirement.
- Ensure the company has a fit for purpose retention policy and that the company is respecting it and that it respects the statutory law on insurance industry data retention.
- Ensure that the company has the appropriate Technical and Organisational measures in place to keep personal data safe and secure.
- Ensure the company is set up and trained as an organisation to deal with any data subject access requests or other requests from data subjects around their personal data. The GDPR introduces new data subject rights around data portability and data erasure. Personal data erasure is not an absolute right, and should the company have a legal requirement to retain the data it would be retained. The new data portability right means that a company or organisation may have to transfer a client’s data in a machine-readable format to a rival company or organisation.
- Ensure the company is set up and trained to deal with any data breaches and reporting of such to the data protection authorities.
- General training and awareness around data protection is critical for organisations as incorrect data disclosure is the greatest reason for data protection breaches.
- Ensure the company is legally entitled to process personal data, that it has an applicable legal basis be that contract, legal obligation or where consent based that any required consent is in place. Where processing is based on consent ensure that there are proper records of that consent. There are 6 legal bases for processing personal data set out in Article 6 of GDPR and extra ones for special category data set out in Article 9 of GDPR.
- Demonstrating compliance is a key area under the accountability requirement of GDPR organisations must be able to demonstrate compliance with the regulation by means of a paper trail. Ensure there is ongoing monitoring of compliance.
- Consider appointing a DPO (Data Protection officer), the European Data protection working group WP29 has issued guidance on sectors which should consider appointing a DPO.
- Data minimisation and privacy by default and design must be a core principle of any data processing. This means collecting only the personal data required for the purpose and having data protection as a key lifecycle component of any processing in the company or organisation.