GDPR Compliance Checklist

The General Data Protection Regulation (GDPR) is a law in the European Union to protect EU citizens from misuse of their personal information. At its core, the GDPR is a set of rights for the individual, designed for the purpose of strengthening data privacy and data protection for individuals. It is intended to harmonize data privacy laws across Europe, and protect and empower EU citizens’ data privacy by overhauling the way organizations handle customer data.

The GDPR will impact how companies can collect, store, and process data pertaining to users, demanding greater accountability and transparency from organizations engaged in these activities. Whether yours is an EU-based organization or looking to do business with the EU, you’ll need to ensure your business is GDPR compliant. See our GDPR Infographic with compliance checklist to better understand what you need to do.

Cost of Non-Compliance

The GDPR is extensive, and determining how to get started with GDPR compliance can be daunting. We’ve come up with a GDPR compliance checklist to help you get your GDPR implementation plan up and running. If you haven’t yet executed a GDPR compliance plan, do not delay. The cost of failure to comply with GDPR comes in different levels, but it’s harsh on each level. For serious offenses, penalties can be as much as 4% of annual earnings or € 20,000,000. For less serious offenses, penalties can be 2% of annual earnings or € 10,000,000. As you can see, the EU takes customer privacy very seriously. So, get started on your GDPR compliance checklist today!

How to Get Started

Understand Governance: The first step of your GDPR compliance checklist should be to become familiar with GDPR on a very detailed level and develop a company policy which clearly denotes the roles and responsibilities of each member of the organization. This included developing and administering training to the entire organization so that each employee is aware of their responsibilities.
Establish Accountability: Depending on the size of your organization, designing and executing your company’s GDPR implementation plan could be a big job. GDPR requires that your organization appoint a Data Protection Officer to supervise compliance for all GDPR-related issues. You might also need to assign staff to assist the Data Protection Officer in the enforcing the new privacy policy. Of course, these steps are only necessary to meet GDPR compliance with your in-house team. A managed IT services partner can also do this for you.
Develop Fair Processing and Consent: You will need to take inventory of the data you already have and determine if it meets the new standards of consent. This is important because GDPR is applicable to ALL data, not just data collected during the enforcement period. This audit should include an evaluation of the data you currently store, how you collected them, how you are keeping them secure, and whether or not you are collecting data on any of the named special subcategories, such as genetic, social identity, or children’s data.
Update Notices: GDPR doesn’t just protect customer data, it also protects employee data. Both employee and customer notices will need to be updated to comply with the new standards. If your organization conducts criminal checks on current or prospective employees, you might need to review your local laws to verify that this is still acceptable. For customers, you will also need to ensure that your consents are compliant with the rules regarding children.
Review Children’s Data Process: Perhaps the most sensitive part of the GDPR compliance checklist is evaluating and reconfiguring the way your company collects data on children. The general rule is that any data collected on a child under the age of 16 requires explicit parental consent. However, the regulation allows each member state to set their own age of consent to anywhere between 13 and 16 years old. Be sure that you know the rules specific to all the regions in which you operate.
Update Subjects Rights and Data Procedures: Updating your company’s data privacy policy and developing a system for handling customer requests will be a critical point of compliance. Customers need to be thoroughly informed of the rights of their data as it passes through your organization. In this documentation, you will need to explain why each specific type of data is collected, how they will be used, and you must be able to provide them access to their data if requested.
Take Records of Processing: Your organization will need a system of recording all data-processing, which will need to specify the type of data processed, the security measures employed, and several other details.
Limit to Privacy by Design and Privacy by Default: Privacy by design and privacy by default are now legal requirements, which means that company products should limit the processing of data to very specific purposes. Your organization will need to obtain customer consent each time it would like to use that customer’s data for a new purpose.
Establish a legal basis for every data type your company collects: In addition to mandating how customer data must be treated, GDPR is also very clear that there must be a legal basis for every type of data collected.
Set Data Breach Procedures: Your organization will need a clear plan for handling customer and employee data breaches. The plan should include a rapid-response protocol, loss mitigation, and notifications of the authorities and affected data subjects. This is a critical step in your GDPR compliance checklist because failure to report data breaches is a serious offense under the regulation.
Create a Data Export Mechanism: Another big point in this GDPR compliance checklist is evaluating and reconfiguring how data is communicated across borders, especially to countries outside the EU. GDPR only allows cross-border transmission of EU data if the receiving country maintains an acceptable level of protection.

Technical Support

We get it, GDPR is big and complex and can be a little overwhelming. For expert IT services to implement this GDPR compliance checklist, NIC’s team is ready to help. Contact NIC today for a free consultation on a GDPR implementation plan. For more information on GDPR and other interesting topics, see the NIC blog.