The May 2018 deadline for General Data Protection Regulation (GDPR) compliance is drawing closer — which means your organisation’s compliance activities should be well underway. But if you’re still looking for a place to start, here’s a GDPR checklist template to get you going:
The 8-Part GDPR Compliance Checklist For Prepared Organisations
1. Establish a programme of work that covers the construction of a coherent inventory of your processes that relate to personal data.
The emphasis here should be in understanding how the GDPR defines personal data:
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Create a data inventory/map and do Data Privacy Impact Assessments where necessary.
To establish a programme of work that inventories your processes as they relate to personal data, you have to know where your data is located—which is where a data inventory/map comes in.
A data map helps you understand how data flows through your network. While a map isn’t required for GDPR compliance, it is a good exercise to go through before the GDPR deadline. While there are myriad options for creating your data map—from simple spreadsheets to complex data mapping tools—you’ll want to be certain you know where personally identifiable information (PII) is collected and stored, and the routes it takes to get to those areas.
A Data Protection Impact Assessment (DPIA) is a formal process required by the GDPR for processing operations that present specific risks to data subjects. Article 35 of the GDPR provides that DPIAs should include:
- A systematic description of the envisaged processing operations and purposes.
- An assessment of the necessity, proportionality, and risks.
- The measures to address the risks.
- Safeguards to ensure protection of personal data.
- Demonstrated compliance with the regulation.
- A requirement to take into account the rights, freedoms, and legitimate interests of data subjects.
3. If applicable, ensure the information and the consent language you provide to your customers is transparent, clear, unambiguous, and written in plain language.
Does your website, for example, make it explicitly clear what data subjects are opting into (or opting out of) when it comes to providing your company with their personal data? If not, you won’t be compliant with the GDPR.
If relying on consent to collect and use an individual’s personal data, under the GDPR this consent must be:
- “Unambiguous”, if the data in question is ordinary, non-sensitive personal data (Article 6 and Article 4(11)); but
- “Explicit”, if the data in question is sensitive personal data (i.e. relates to any of the categories of sensitive data listed in Article 9(1) of the GDPR).
For example, under the GDPR, it isn’t acceptable to bury consent language in lengthy terms of service or privacy policies. Recital 32 provides that consent may be signified by “ticking a box when visiting a… website, choosing technical settings… or by any other statement or conduct which clearly indicates… the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.”
In addition, the provision of a service or product cannot be made contingent on the data subject’s consent to the processing of his/her data for purposes that are unnecessary for the provision of the service (Recital 43, Article 7(4)).
The GDPR requires companies to separately obtain consent for each processing purpose. For example, if you are collecting personally identifiable information (PII) to provide a service and also to use for your marketing, you would need two separate consents. This puts the burden of proving consent squarely on your organisation (Recital 32, Article 7).
4. Outline a plan for compliance with the more complex rights of the data subject, including rights of access, rights of correction, rights of rectification, rights of data portability, and rights of erasure.
Articles 12-23 in the GDPR outline the affirmative rights given to data subjects in the EU, and outlines how data subjects can expect to have their personally identifiable information (PII) handled. For example, if an individual requests that his or her data be removed from a company’s records, your organisation must take action within one month. Complying with these data rights requires your business to have a fleshed-out plan as to how you’ll comply with the rights given to customers through the GDPR.
5. Have a process by which you risk-assess your own data.
The GDPR imposes heightened requirements on organisations that engage in “high risk” activities, which includes processing that is likely to result in an increased risk to the rights and freedoms of natural persons (Article 35).
In order to understand your obligations, you will need to review the types of data you collect and how you use that data (see step #2 above), as well as the nature of the risk associated with such data.
6. Have an understanding of where and how you share personal information with third parties, and ensure that you have the correct contracts in place with these processors to comply with laws.
Under the GDPR, it’s not just about protecting data inside your organisation, but also protecting data that your third parties have access to. Organisations that collect personal data must have rigorous due diligence processes to ensure the appropriate technical and organisational controls are in place before sharing data with vendors (as found in Article 32). Additionally, organisations should consider reviewing vendor contracts to ensure that vendors are contractually obligated to protect data as required.
7. Assess your information security programme as it relates to personal data, including third parties you share such data with.
It’s a good idea to work through a classic risk assessment that looks at potential threats to your company’s data, network vulnerabilities, and the potential consequences your organisation could face if data is compromised. (Once the GDPR goes into effect in May 2018, the maximum fine for noncompliance is €20,000,000 or 4 percent of a company’s worldwide revenue—whichever is greater.) Assess your internal security programmes as well as those of your third parties (for the reasons listed in #6).
8. Establish a mechanism to identify if, when, and where any breach takes place and how you will handle it.
Establishing, practicing, and abiding by a breach response plan will help tremendously with this. Part of your breach response plan should include putting the right technology in place to detect or discover if and when an incident has occurred. The sooner you uncover it the better your chances of successfully managing the fallout. If you do not have continuous monitoring software, be sure to look into your options!
Keep in mind that no GDPR compliance template will ensure that you are compliant.
While the steps in this checklist will help your organisation prepare for the upcoming GDPR deadline, checking off boxes will not ensure that you’ve met the level of care required by the GDPR. Your organisation will have to meticulously work its way through the details of the regulation and ensure that every requirement is satisfied, so your company doesn’t become a “cautionary tale” for other businesses going forward.