GDPR Compliance Checklist
The General Data Protection Regulation (GDPR) is considered the most important data protection regulation globally. It was issued to protect the EU citizens' data when stored or processed across the world. GDPR became enforceable in May 2018; since then, it has become the main legal framework that any global organization must be subject to when handling citizens' data in the European Union's member states. GDPR applies to both individuals and organizations. Hence, any organization (whether commercial or government) must comply with the GDPR when collecting or processing the personal information of people living in EU countries.
Organizations handling personal data could be based outside the EU member states' territories. However, when they process EU citizen's data, they must adjust their data collection and processing activities (e.g., data security, regulate access to sensitive data) to be in line with the GDPR. This processing requirement makes GDPR applicable to different entities, both domestic and foreign to EU countries. All these entities must understand the GDPR requirements and strictly meet them to avoid paying significant fines for cases of non-compliance.
GDPR Compliance Checklist
Before listing the main GDPR checklist elements, any organization working to comply with the GDPR requirements must conduct a data audit first. This helps it understand what data is required to protect according to the GDPR rules. For example, the organization should answer the following questions during the data audit:
- What data does the organization hold?
- Where is it located?
- Who has access to this data? Including any third-party providers or contractors.
- Technical measures implemented to protect this data (encryption).
- Data retention – how long will this data be stored?
Now, let us return to our checklist.
Establish a lawful basis when collecting data from users
The following practices are recommended for legally collecting personal data:
- Inform users about collecting personal data before doing so
- Present a convincing purpose for collecting and processing users info
- Collect only the data needed for the advertised purpose
- Specify how long collected data is stored
- Get users consent before processing their data
- Inform users about any updates to your data collection, processing, or retention processes.
Maintain an up-to-date data protection policy
Any organization working to meet the GDPR requirements should have an in-house data protection policy. If there is already a policy, the organization should review it to become compliant with the GDPR requirements. Otherwise, the organization must develop one that is compliant with the GDPR directives.
The ultimate goal of implementing such a policy is to ensure all data is collected, processed, and stored securely. It is only accessible to a limited number of people that need access to such data.
Know your supervisory authority
For each EU state, there is one or more supervisory authority responsible for monitoring GDPR compliance. This supervisor will play the role of advisor for answering compliance-related questions. The GDPR supervisory authority is also responsible for receiving notification from organizations in case of a data breach incident.
Conduct a Regular Data Protection Impact Assessment (DPIA)
A DPIA allows an organization to prove that all stored sensitive personal data is processed and protected according to GDPR data security standards when conducting high-risk data processing activity.
Article 35 of the GDPR covers Data Protection Impact Assessments. This is a new requirement imposed by the GDPR when conducting high-risk data collection activities (for example, using new technology) to impact users' personal information.
Ensure maintenance of all users' rights in privacy according to the GDPR
GDPR chapter three defines the rights of users. An organization should pay attention to these rights to avoid taking any action that results in a non-compliance status.
The organization must make sure that its customers and websites users can manipulate their stored information; users must be able to:
- Request all information stored about them
- Request to stop processing their information
- Update their information – in case it is incomplete or incorrect
- Get a copy of their data in case they want to move to another provider or company
- Have the right to request complete data deletion
Hire a data protection officer
A data protection officer (DPO) can be an in-house or outsourced expert (e.g., independent consultant) who monitors an organization's GDPR compliance and sends reports to top management about any data breach risks.
The GDPR requires any company processing personal data, and that has more than 10-15 employees to hire a DPO officer. The same thing applies to public entities and for companies processing data on a large scale.
Complying with the GDPR requires organizations to spend a considerable amount of time and resources strengthening their data protection measures. Organizations must review their entire work processes to ensure all data is collected, processed, and stored in compliance with the highest security standards imposed by the GDPR.