After all the build-up, GDPR finally swept in on 25th May 2018 when the EU legislation was implemented in the UK. For most people, the milestone passed by with a flurry of emails from companies begging to stay connected with everything from free prize giveaways to emotional blackmail being used as tactics to gain consent from their customers to stay on their mailing lists.
Yes, the data for most of us simply marked a significant decrease in the number of emails in our inboxes each morning. However, for anyone involved in the collection, storage or processing of the personal data of any EU citizen the heralding of the GDPR marked the deadline of ensuring compliance with one of the biggest changes in Data Security laws this country has ever seen.
So, how do you know if your company is ready and compliant?
GDPR Compliance Checklist
We’ve put together a checklist to assess whether your organisation has done enough, in time, to establish data compliance standards for GDPR.
1. Preparing Your Staff
You should already have identified key personnel who must take responsibility for understanding the impact of GDPR on your business and ensuring compliance. Some companies have chosen to outsource elements of this role whilst others will have hired, or changed the job function of, an individual.
If your organisation:
- deals with large-scale data collection, processing or storage (including the systematic monitoring of individuals).
- Is a public body.
- Processes and/or collects special categories of data including health records, criminal convictions etc.
then you will need to ensure you have appointed a Data Protection Officer (DPO) to comply with the mandatory element of GDPR staffing. Though not compulsory in many businesses, it is seen as good practice for many organisations to appoint a DPO.
2. Assess the Data Held
You should by now have identified all the personal data that your organisation stores and made an inventory of:
- The purpose of this data.
- The source of this data.
- How this data is distributed.
4. Put Yourself in Your Customer’s Shoes
One of the keys to assessing your GDPR readiness is understanding the rights of the individual under GDPR. The protection of GDPR extends enhanced rights for an individual as follows:
- The right of access to their data.
- The right to be informed about the use of their data.
- The right to be able to rectify data held about them.
- The right for their data to be erased.
- The right to restrict how their data is shared (and with whom).
- The right to data portability.
- The right to object to the use of their data.
- The right for their data not to be used for automated decision making such as those used in profiling.
5. Review Your Response Time
Some of the rights above must be able to be dealt with under a 30-day timeframe. Assessing your organisation’s ability to handle requests for access, erasure, portability or rectification is essential to ensure compliance.
If you handle large volumes of data then consider the impact on staff resources to meet this requirement.
6. Safeguard Accountability
It is a major requirement of GDPR that you document the process by which data is collected, stored, used and shared. An individual’s rights may also be modified depending on the legal basis for how you process their data. Ensure that you have a robust process for documenting compliance.
7. Nothing Less than a Yes, Without Duress, Will Do
GDPR is all about consent and the process by which you collect personal information is one of the major factors for compliance.
You should ensure that the process for data collection fully complies with the requirements of GDPR including how you record this consent, manage withdrawn consent and provision for minors (under the age of 16) who must have parental approval to issue consent.
Consent must be an active opt-in process with clarity on how and what you are using the data for along with how to withdraw consent for data to be used, stored or shared.
8. Report Breaches
Data Controllers must be registered with the Information Commissioner’s Office (ICO) and organisation’s must have an effective and actionable policy in place for dealing with data breaches. As well as reporting these incidences, procedures should be in place to detect potential threats, manage outbreaks and investigate any events that occur.
9. Incorporate Data Privacy by Design
Conduct Privacy Impact Assessments (PIA) to assess how data is managed within your company’s processes. PIAs are mandatory in certain circumstances and the GDPR explicitly requires ‘data protection by design’. This means that data privacy should be a key focus in your organisation’s activities.
10. Understand the International Impact
If your organisation is operational across EU borders then it is essential that you comply with the supervising local data protection authority.
Ensuring compliance with GDPR is proving to be a mammoth task for some organisations and although the implementation date has now passed, it would be naïve to think that everyone is ready and prepared. Seeking help to get your systems and processes in place is essential if you think that you have not covered any one of the above steps.