05 May GDPR Compliance 101
The EU General Data Protection Regulation (GDPR), called the most important change in data privacy regulation in the last 20 years, comes into effect 25 May 2018!
It applies to all organisations located in and outside of the EU processing holding the data of EU citizens. Since non-compliance triggers heavy fines (4% of the annual global turnover!) and may harm the image of your brand, it is high time to make sure that your corporate policies and procedures correspond to the new demands. This checklist will help you assess your readiness and make timely changes.
Checklist on GDPR Compliance.
You have determined that your data processing activities are absolutely necessary and have chosen the appropriate lawful basis for each activity. You have documented the purposes of and the lawful basis for the processing and included the relevant information in the privacy notice.
Where consent is your lawful basis for processing, you have made sure that the way you receive, record, and manage the data it is compliant with the GDPR. In particular,
- you do not use any methods of default consent, but ask people to positively opt-in,
- you give the name of your organisation and of any controller that will rely on the data,
- you explain why you need the data and what you will do with it in a plain and clear language,
- you do not make a consent a precondition for the service,
- if you market to children, you use appropriate age verification tools and seek consent from the parents or guardians of all children under the age of 16,
- you inform people that they can withdraw consent anytime,
- you keep a record of how the consent was received including all details about how people were invited to give it,
- you have a procedure to regularly review consents checking whether activities and purposes have not changed,
- you do not penalise people for withdrawing consent and act on the relevant requests as soon as possible.
You have made sure that you respect and facilitate the way people exercise their personal privacy rights such as the right to be informed, the right to access, the right to erasure, the right to rectification, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling.
You have revised your security policies, making sure that they comply with the GDPR. In particular:
- where you work with processors, you have written contracts determining responsibilities and liabilities of the parties,
- you maintain an up-to-date documentation of all processing activities in a written or electronic form so that it can be provided to the regulatory bodies,
- you have implemented technical and organisational measures, which assure data protection by design and default (e.g. encryption and pseudonymisation),
- you have developed procedures to assess data protection risks (DPIAs), detect and investigate data breaches, and report data breaches to the Information Commissioner’s Office and data subjects as defined in the GDPR,
- you have made sure that your policies and safeguards regarding the overseas transfers of data are adequate and compliant to the GDPR.
You have appointed a Data Protection Officer (obligatory for all public authorities and organisations that carry out large scale systematic monitoring of people or large scale processing of special categories of data) or another person with data protection responsibilities.
You have made sure that your legacy data is GDPR compliant. Specifically, you have made sure that the way you collected personal data is fully documented and follows all the current demands. Otherwise, you have reconnected with individuals on your database informing them of the categories of personal data you hold, purpose of its processing, and another relevant information, asking to renew their consent and giving them a chance to object to the processing of data.
You have made sure that you adequately demonstrate compliance to the GDPR through your written policies and procedures, staff trainings, record keeping, etc.
You look forward for a proper communication with your staff and service users: as the owners of course you need to know about data rights, but others in the organisation as well. While you collect personal data from staff, clients or service users, you will make sure that they are informed about their rights.
IT and marketing people aren’t opportune for DPOs. GDPR says that the DPO can’t do two jobs at time: manage data & also govern data. Meaning an IT manager, IT director, CTO or security manager are not suitable for DPO. A marketing manager is also a mismatch for this role, best choices would be head of finance, risk or legal. It is not necessary that the DPO should belong to the organisation, he can be appointed from outside also.
We hope you have responded positively to all of the statements in the checklist. If some of them still make you doubt your compliance, be sure to review the detailed GDPR requirements once again and embrace change. After all, GDPR it as important step towards the respect of personal privacy rights and data security, which is definitely a good move!