On the 25th May 2018, the EU Parliament's GDPR (General Data Protection Regulation) will finally be enforced into EU law. Senior management will have a large say on how their organisation prepares for this new regulation, so it's imperative that they fully understand what is coming. According to a report in July 2017, only 66% of senior management have been briefed on the regulation. So take note! Here, we'll give you a full GDPR compliance checklist in an attempt to help you and your business sail through this change smoothly.
GDPR Compliance Checklist
Educate Yourself As To What Is Coming
It's the first thing on our GDPR compliance checklist, and possibly the most important. Like mentioned previously, only 66% of senior management have been briefed on the regulation. The EU Parliament states that 'Organizations can be fined up to 4% of annual global turnover for breaching GDPR, or €20 Million', so it's incredibly important for your company to play by the new rules!
Make Sure You Are Accountable
Including provisions that promote and even rewards accountability, GDPR advises that companies make full inventories, listing all personal data they may hold, as well as examine it under the following:
The GDPR legislation includes stipulations that encourage accountability, so the Data Protection Commissioner advises businesses to make a full catalogue of all the personal data they are holding, and further, examine it under the following conditions:
- Why are you in possession of it?
- How was it obtained?
- Why was it gathered in the first place?
- How long do you plan on possessing it?
- Looking at accessibility and encryption, how guarded is the data?
- Is this data ever distributed to third parties, or on which grounds may you do so?
Be Certain To Assess Personal Privacy Rights
Data subjects - i.e, you and I, have plenty of rights concerning the way businesses obtain and retain their data. These could include the following rights:
- To be informed
- To access
- To object
- To restriction of processing
- To the portability of data
- To data deletion
- To rectify
The bulk of these rights are the same as those in present data protection regs, but there are a few variations. It's critical that you acquaint yourself with these changes and make plans respectively.
Communication Is Key
Senior management aren't the only ones who need to be familiarised about data subjects' rights. When obtaining personal data from customers, service users or staff, they need to be informed of their rights, and that job falls on the plate of senior management.
This is important to note, that any information related to a 'data subject' can be multi-faceted. From a name, a photo or an email address, all the way up to bank details, medical information, posts on social networking sites and collection of IP addresses. It's a crucial part of your GDPR compliance checklist, so make sure you take note!
Inform Yourself Regarding Legal Grounds
Businesses must prove that they have the legal grounds to process data. Most organisations currently use consent by default, but with GDPR, the rules have been beefed-up, especially in terms of obtaining and keeping consent.
There are five other lawful grounds for processing data:
- A contract with the person
- Compliance with a legal responsibility
- Vital interests
- A public task
- Genuine interests
Companies should learn when these grounds can be sought and adjust their data collection policies appropriately.
Research Child Permission Policies
In this part of the GDPR compliance checklist, we have to examine the lawful consent of children. Actually, the GDPR states that children can not give lawful consent, as they 'may be less aware of the risks, consequences and safeguards' of sharing data. The default age at which someone is no longer acknowledged as a child is 16, but the new GDPR regulation allows EU member states to adjust that age to anywhere between 13 and 16.
For instance, the Republic of Ireland and Spain are expected to have the age set at 13, whilst Germany and the Netherlands will continue with 16.
Data controllers must know the age of consent in appropriate countries and avoid seeking consent from anyone under that age.
Designate A Data Protection Officer
The GDPR states that a data protection officer (DPO) should oversee an organisation’s data protection policies and compliance plans.
Although only some organisations need to appoint a DPO (primarily sole traders), the Article 29 Working Party recommends that all organisations appoint one as a form of good practice.
Make A Plan Of Action In Case Of Data Breaches
One of the biggest hurdles that the GDPR presents to companies is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of detection, and provide them with as much detail as possible. This is going to be very difficult unless you have a set plan of action to enable smooth communication with the supervisory authority.
Adopt A Privacy-By-Design Procedure
Companies looking to ensure they follow the GDPR compliance checklist fully should foster a privacy-by-design strategy for data protection. To do this, they must conduct a data protection impact assessment (DPIA) before beginning new plans or initiatives.
DPIAs assist organisations in that they show how changes in the business will affect people's privacy. Their final results should then be used to foresee and mitigate problems well before they arise.
Common Questions Regarding GDPR
What Is The Difference Between A Regulation And A Directive?
The previous legislation regarding data protection in the European Union was a directive, which means it was a legislative act that sets out a goal that all EU countries must achieve. However, it was and still is up to the individual constituent countries to decide how it is implemented.
The new GDPR legislation is a Regulation, which means it is a binding act. It must be applied universally in its entirety across the EU and all of its individual member states.
What Is The Contrast Between A Data Processor And A Data Controller?
Simply put, a Data Controller is the entity which determines the objectives, conditions and means of processing all personal data. Conversely, a Data Processor is an article which processes this data on behalf of the controller.
How Will Brexit Effect GDPR Planning And Preparation In The UK?
If you are processing data about individuals in the context of selling goods and/or services to citizens in other EU countries, then you must comply with the GDPR, irrespective as to whether or not the UK retains GDPR post-Brexit.
Unfortunately, if your activities are limited to the UK, then the position is far less clear. This is a consequence of the general lack of information about exactly how Brexit will occur. The government of the UK has indicated that it will implement an equivalent or alternative legal mechanism, so we will just have to wait and see.
GDPR Compliance Checklist - In Conclusion
The sooner you begin to prepare for the GDPR, the more cost-effective and smooth the transition will be for your organisation. The GDPR gives data protection authorities far more powers to tackle non-compliance, primarily the €20 million fine (or 4% of turnover, whichever is greater). To ensure you won't have to deal with this kind of fine, you must follow the checklist and do things by the book!
The 25th of May 2018 is coming up very soon, so the quicker you get going on your checklist, the better things will be for you and your organisation. GDPR is overall a great thing for our personal data security, and it's imperative that businesses follow the rules, so read our checklist again and get started!