Whether you’re a business owner, senior manager, or an external operator recruited, if it’s your job to keep on top of GDPR policy and ensure your company upholds the GDPR compliance requirements, then you sure have a lot on your plate! So, why not create a checklist to keep on top of it all?
Why a checklist?
Checklists (and to-do lists) have proven to be a useful tool for setting out tasks and getting them done. They help with ensuring you don’t skip a step of a process or leave out vital information, allowing you to accomplish more things. Checklists can be created simply by using a pen and paper or even a spreadsheet, however, for those looking for a more advanced approach can turn to software management tools (like Zenkit) which have checklist templates that make creating and managing tasks easier.
Since the GDPR deadline is fast approaching — 25th of May, 2018 for those playing at home — we’ve compiled a list of questions you can use to help prepare for the big day. Aptly named ‘the GDPR compliance checklist’, the purpose of the list is to highlight how much work needs to be done, which is uncovered in the answers you provide, before you and your company are compliance-ready.
The GDPR compliance checklist
1. Has awareness been created?
Providing information and creating an awareness to all the employees of your business or organization about the new data regulation is the first step towards company-wide compliance. Regardless of whether or not staff members work directly with personal data, it is worth educating everyone involved in your business about what the GDPR constitutes, what it means for your business, and what the risks of non-compliance are. This also includes clients, stakeholders, and other individuals involved in your business who may not be staff members working in the office.
2. Does everyone realize the severity of non-compliance consequences?
Businesses and organizations who fail to comply with the GDPR face severe penalties. Fines are faced when breaches of regulation happen, such as infringements of not having sufficient customer consent for processing data. Fines will be arranged in a tiered structure, and will be applied to both controllers and processors. They will be €20,000,000 or up to 4% of annual global turnover — whichever adds up to be greater.
Hefty fines imposed by the GDPR are not the only consequences that your business or organization will face if breaching regulation. Other things that will be at risk include your company’s reputation, customer loyalty, and any legal fees that may need to be paid in order to rectify the issue.
3. Has a data audit been conducted?
Conducting an audit on all the personal data that exists across your business enables you to know where, who, how, and why information is being kept. Accountability will be highlighted, as will whether or not the personal data being kept is useful (hint, if it’s not, then you’re best bet is to remove it from your records).
Conducting a data audit doesn’t have to be a daunting process. Create a GDPR audit checklist (perhaps a similar structure to this one) and start from there. Your audit should include mapping out where all the personal data that your business collects comes from, and then taking note of how it’s being processed and used. Make sure you include the details of who can access the data and whether or not said data poses any risks. Once all the information is recorded and analyzed, you’ll be able to determine what’s worth keeping, and what’s better off erased or encrypted.
4. Can the average Jane understand the language used in your terms and conditions?
The GDPR has heightened its consent requirements which means that businesses can no longer get away with having lengthy terms and conditions in text that most people without a legal degree can’t fully comprehend. Requesting for consent has to be in legible and accessible language so that consumers are not allowing businesses to use and process their data without their knowledge. It also has to be as easy to withdraw consent as it is to give it.
Heightened consent also means no more pre-ticked boxes and hoaxing consumers into it by making it a precondition of a service — consent has to be explicitly given. Consent requests must be kept separate from your terms and conditions, and keeping records of evidence is a good idea to look into after completing your GDPR compliance checklist.
5. Do business policies and procedures adhere to consumers’ digital rights?
The new regulation introduces enhanced digital rights for consumers. This means they will have more control over how their personal information is being used, and that those who misuse that information will face heavy financial consequences. Some of the more significant of the rights include the following:
- The right to access
Under the GDPR, data subjects (consumers) will have the right to request information from data controllers about their personal data. They have the right to know whether their data is being processed, its whereabouts, and the reason for it. Data controllers will also have to provide a copy of the personal data, free of charge, should it be requested.
Also known as the ‘right to erasure’, data subjects are entitled to have their personal data deleted or stopped from being processed. Conditions for erasure include the data no longer being relevant to its original intentions, or the data subjects simply wanting to withdraw consent.
Data portability is a new digital right that permits data subjects to receive personal data regarding them, and have the right to send that data to another controller.
6. Are your data processors aware of the different ages of consent?
The age of consent is recognized variously across the 28 EU member states. For instance, countries like Spain and Sweden consider 13 to be the appropriate age to give consent, whereas Lithuania, Germany, and the Netherlands think that individuals should be a little older and recognize 16 to be the default age. What this means is that policies must be changed to comply with explicit consent requirements, including parental consent for personal data belonging to children under the age of consent.
7. Has a process for reporting a data breach been developed?
Your GDPR compliance checklist must include the steps employees will have to take when a breach of data regulation happens. Any loss or breach of data must be reported within 72 hours of first becoming aware of the breach. Consumers and controllers will be notified by data processors when this occurs. All EU member states will be required to advise of breach notifications, especially where it’s at risk of affecting the rights and freedoms of individuals.
8. Are your privacy notices clear enough?
A significant factor of the new regulation — and one that shouldn’t go amiss on your GDPR compliance checklist — is being transparent on how you intend to use consumers’ personal data. This includes having to disclose your lawful basis for processing the data, retention periods, as well as informing consumers that they have a right to complain to their data protection authority if they are unhappy with the way you are using their data. Privacy notices are one of the best ways to communicate this kind of information to consumers. They must be written in clear and concise language so that consumers understand why and how you are using their data.
9. Will you be hiring a DPO?
It is a prerequisite under GDPR compliance that businesses whose main activities involve the monitoring of data subjects on a large scale, of special categories of data, or work with data relating to criminal convictions must hire a Data Protection Officer (DPO). A DPO is someone who is formally placed in a business to oversee protection strategies and to ensure compliance with the new regulation requirements. Hiring one means having an expert around to guide your business and its staff towards less risks and data breaches.
Of course, not all businesses and organizations are required to recruit a DPO, however, it is best practice to have someone designated to uphold the responsibility of data protection compliance. Think about appointing this role internally if outsourcing is out of reach.
10. Will a Data Protection by Design approach be taken?
Implementing a data protection by design approach to new projects enables for data protection to be thought of and included from the very beginning of a system design, instead of being just an addition. This also entails undertaking Data Protection Impact Assessments (DPIA) which helps to identify and limit chances of any breaches and data related risks from happening.
A DPIA should also be administered for any data processing that may result in high risk. The benefits of doing so will not only demonstrate GDPR compliance, but it will improve awareness regarding data privacy risks throughout your business. It can also decrease operation costs by optimizing information flows and reducing the disruption of data protection safeguards by adding them at the beginning of the project design.
11. Will the reduced time of access request affect company procedures?
Consumers have the right to request access to their information, and when they do, businesses have a month to satisfy the request — which is less time than the current 40 days. In most instances, you won’t be able to charge for complying with a request, however, if its an excessive request, then you may be able to do so. Businesses and organizations must ensure that their internal procedures and policies are altered to meet this GDPR compliance requirement. If the choice to refuse the request has been decided, you must provide the individual with the reason and advise that they are entitled to complain to the supervisory authority.
12. Are you aware of the different data protection authorities?
Data protection authorities (DPA) are independent public authorities that overlook data protection laws. Located in every EU member state, their job is to provide expert advice on data protection issues and deal with complaints that have been lodged against the GDPR. Every business or organization will have a national data protection authority located where their main establishment is. However, for businesses that operate across several EU member states, the main contact point for issues relating to data protection law may be in another location. Knowing who and where your lead data protection supervisory authority is in every place you practice would be useful knowledge for GDPR compliance.
For info to locate your national data authority, click here.
How many questions did you tick off on this GDPR compliance checklist?
Dinnie and the Zenkit Team