The May 2018 deadline for General Data Protection Regulation (GDPR) compliance is drawing closer — which means your organisation’s compliance activities should be well underway. But if you’re still looking for a place to start, here’s a GDPR checklist template to get you going:
The emphasis here should be in understanding how the GDPR defines personal data:
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
To establish a programme of work that inventories your processes as they relate to personal data, you have to know where your data is located—which is where a data inventory/map comes in.
A data map helps you understand how data flows through your network. While a map isn’t required for GDPR compliance, it is a good exercise to go through before the GDPR deadline. While there are myriad options for creating your data map—from simple spreadsheets to complex data mapping tools—you’ll want to be certain you know where personally identifiable information (PII) is collected and stored, and the routes it takes to get to those areas.
A Data Protection Impact Assessment (DPIA) is a formal process required by the GDPR for processing operations that present specific risks to data subjects. Article 35 of the GDPR provides that DPIAs should include:
Does your website, for example, make it explicitly clear what data subjects are opting into (or opting out of) when it comes to providing your company with their personal data? If not, you won’t be compliant with the GDPR.
If relying on consent to collect and use an individual’s personal data, under the GDPR this consent must be:
For example, under the GDPR, it isn’t acceptable to bury consent language in lengthy terms of service or privacy policies. Recital 32 provides that consent may be signified by “ticking a box when visiting a… website, choosing technical settings… or by any other statement or conduct which clearly indicates… the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.”
In addition, the provision of a service or product cannot be made contingent on the data subject’s consent to the processing of his/her data for purposes that are unnecessary for the provision of the service (Recital 43, Article 7(4)).
The GDPR requires companies to separately obtain consent for each processing purpose. For example, if you are collecting personally identifiable information (PII) to provide a service and also to use for your marketing, you would need two separate consents. This puts the burden of proving consent squarely on your organisation (Recital 32, Article 7).
Articles 12-23 in the GDPR outline the affirmative rights given to data subjects in the EU, and outlines how data subjects can expect to have their personally identifiable information (PII) handled. For example, if an individual requests that his or her data be removed from a company’s records, your organisation must take action within one month. Complying with these data rights requires your business to have a fleshed-out plan as to how you’ll comply with the rights given to customers through the GDPR.
The GDPR imposes heightened requirements on organisations that engage in “high risk” activities, which includes processing that is likely to result in an increased risk to the rights and freedoms of natural persons (Article 35).
In order to understand your obligations, you will need to review the types of data you collect and how you use that data (see step #2 above), as well as the nature of the risk associated with such data.
Under the GDPR, it’s not just about protecting data inside your organisation, but also protecting data that your third parties have access to. Organisations that collect personal data must have rigorous due diligence processes to ensure the appropriate technical and organisational controls are in place before sharing data with vendors (as found in Article 32). Additionally, organisations should consider reviewing vendor contracts to ensure that vendors are contractually obligated to protect data as required.
It’s a good idea to work through a classic risk assessment that looks at potential threats to your company’s data, network vulnerabilities, and the potential consequences your organisation could face if data is compromised. (Once the GDPR goes into effect in May 2018, the maximum fine for noncompliance is €20,000,000 or 4 percent of a company’s worldwide revenue—whichever is greater.) Assess your internal security programmes as well as those of your third parties (for the reasons listed in #6).
Establishing, practicing, and abiding by a breach response plan will help tremendously with this. Part of your breach response plan should include putting the right technology in place to detect or discover if and when an incident has occurred. The sooner you uncover it the better your chances of successfully managing the fallout. If you do not have continuous monitoring software, be sure to look into your options!
While the steps in this checklist will help your organisation prepare for the upcoming GDPR deadline, checking off boxes will not ensure that you’ve met the level of care required by the GDPR. Your organisation will have to meticulously work its way through the details of the regulation and ensure that every requirement is satisfied, so your company doesn’t become a “cautionary tale” for other businesses going forward.
While security ratings are a great way to demonstrate that you’re paying attention to the cyber health of the organization you also need to show that you’re adhering to industry and regulatory best practices for IT security and making...
In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...
Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469