GDPR Compliance To-Do List

The goal of this GDPR To Do List is to assist organizations and businesses that gather, process or retain the private data of “data subjects” based in the EU and helps them take steps to ensure compliance with GDPR. This is not a complete guide to GDPR compliance, but a reminder of the important “rules of thumb” to get up and running.

Preparing a GDPR To Do List

Though it was generally known that the General Data Protection Regulation (GDPR) would have a big impact since its approval in 2016, only a few organizations were ready with a GDPR To Do List at that point. ‘Spice Works’ mentioned one year before GDPR’s implementation date that only 2% of the surveyed Information Technology professionals all over the European Union considered their company or business as adequately prepared for GDPR. The same figure applied to IT pros in the USA, and the figure was only slightly higher in the UK were 5% of organizations felt they were prepared. The statistics show that organizations should be concerned about compliance if they are to avoid financial penalties.

Compliance with the GDPR requires organizations to take the following actions:

Understand GDPR Requirements

Almost all businessmen have some knowledge about GDPR. One thing about the GDPR that it important to know is it is going to take the place of the Data Protective Directive (DPD). The EU Regulation, unlike an EU directive, will enhance uniformity regarding the management of personal data across the entire EU.

The GDPR gives people more control over the way their personal information is processed. GDPR applies to all “data subjects,” which refers to any individual who is residing in a member state of the EU when their personal data is gathered. Data subjects possess the right to be made fully aware of the personal data that is collected and retained, to amend incomplete or incorrect data, and to request the deletion of data (save for a few specific instances). It is crucial to note that organizations all over the world will be affected by GDPR, and not just those established in the EU. Organizations that gather, process or store the private information of data subjects are required to follow the new law.

Organizations and businesses should inform their personnel about their GDPR To Do List, provide training on the goals of GDPR, and the effect of its requirements on how organizations manage data.

Performing an Audit of Stored Information

When an organization has put together a GDPR To Do List, the next step is to perform an audit of the personal information that it currently maintains. Consider asking the following questions:

  • What type of data is collected?
  • Where is the data stored?
  • Who is responsible for data management?
  • What is the purpose for collecting data?
  • Is retention of data still required?
  • What security measures are implemented to secure the data?
  • Is the information accessible and can it be provided to a person who makes a System Access Request (SAR)?

Perhaps the important thing to be aware of is if whether it is necessary to still retain information. The GDPR says data must be utilized only for the purpose that warranted its collection. If there is no such purpose now, the data must be destroyed or deleted, except in instances where there is a legitimate reason to keep the data. In general, the less data that an organization keeps, the less impact any data breach will have.

Identification of Risks

You must also identify any high risk data or activities. To do that, use Data Protection Impact Assessments (DPIAs). The moment risks are identified, take the steps to mitigate those risks. If, based on evidence, it appears that there’s no possible mitigation, the pertinent Data Protection Authority (DPA) must be consulted to explore the best way to keep processing information. This type of discourse is expected to be rather rare. Having said that, if situations arise where it seems there’s no possible mitigation, an organization is required to get in touch with the authority to talk about the problem to comply with the GDPR.

Keeping a Report of Every Compliance Process

Organizations need to show they are GDPR compliant. Therefore it is vital to properly document every process and procedure. When found to be non-compliant, an organization incur a penalty of as much as €20 million, or 4% of annual yearly turnover (whichever is higher). In all likelihood, the DPA will at first focus on handling problems with organizations that are clearly non-compliant, but it is still critical for every company to have its own processes, procedures and paperwork available in the event of an audit or investigation.

Getting Ready for the Possibility of Data Breaches

Under the GDPR, every data breach must be reported to the appropriate supervisory authority within 72 hours. It is therefore important that every organization has developed its own procedures for managing data breaches if they happen. Besides not complying with the GDPR, and thus causing the organization to incur a large fine, no contingency plan could lead to catastrophic reputation damage.

Assigning an in-house Data Protection Officer (DPO)

From the GDPR implementation date, any company or organization that tracks the personal information of people (including IP addresses) on a substantial scale is required to appoint a DPO. A DPO can either be an internal employee or an external provider. A DPO is also required by organizations that process large quantities of special category data, for example genetic information or criminal data, and public agencies which manage personal information.

It is quite likely that, at first, there will be a shortage of competent Data Protection Officers. Having said that, there is no clear criteria for qualifying as a DPO. What is required is someone who is fully knowledgeable of the GDPR and its effect on the business. In addition, they should be able to kick-off and supervise the operating of data protection systems and processes. An organization can recruit an existing staff member to be a DPO as long as he/she possesses the required skill set, and has been given adequate training in all aspects of the GDPR.

Creating tracking and reporting processes

When GDPR compliance systems are already set up, an organization needs to also create processes for tracking performance. Initially, this is for checking that processes are working and completely GDPR compliant. Secondly, this is to show compliance in case of an audit by a Data Protection Authority. The only way for an organization to demonstrate compliance is if all GDPR compliance activities regarding data management and protection are properly documented. Moreover, it must show that an operational checking program has been implemented.

The Value of Being Ready

DPAs can issue fines for GDPR non-compliance. The exact amount of the different fines, besides the maximum in every category, is not defined. It seems that DPAs can be flexible with regards to deciding about appropriate penalties.

In spite of the fact that DPAs have some flexibility in imposing sanctions and fines, it is expected that they are going to talk about these issues and achieve a level of uniformity.

The first step for any organization is to learn about the extent of the GDPR. A lot of organizations operating globally seem to think that GDPR has no effect on them at all. If, however, they play any role in the processing of information gathered from people residing within the EU, they could be in for a surprise. GDPR is applicable not only to data that was obtained directly from the data subject; it also applies to information obtained from a 3rd party. Being educated about the GDPR, and the organization’s responsibilities, must be the first item on an organization’s GDPR To Do List.

After working on the number one item of the GDPR To Do List, the next thing to do is assess current data practices and make sure that any data is stored in compliance with the GDPR. Companies should moreover enact processes and procedures to make sure that ongoing data collection and management is GDPR compliant. Data management processes should be checked. Risks need to be identified and mitigated. Although organizations must do all they can to keep data secure, they must also be prepared to report data breaches within 72 hours of discovery. If organizations can do everything mentioned above, they could avoid GDPR fines and safeguard their reputations.

Summary

The first step that an organization should do is put together a GDPR To Do List. There is a long list of GDPR Requirements but not every requirement will be applicable to an organization, particularly those which are classified as Data Controller.

In summary, consider the following questions:

  • Has your organization created a list of the personal data it retains, the sources of that information, to whom the data is shared with, what is done with the data and how long data must be kept? (Data Controllers/Data Processors)
  • Has your organization put together a list of the storage location of personal data and how data is transferred? (Data Controllers/Data Processors)
  • Has your organization put together a Privacy Policy, which outlines all the processes associated with the gathering, processing and safekeeping of personal information? (Data Controllers/Data Processors)
  • Does your Privacy Policy mention the legitimate reason for your organization gathering and processing personal data? (Data Controllers)
  • Has your organization performed a risk assessment of its security systems, made certain that any flaws or vulnerabilities are dealt with, and trained personnel know about data protection? (Data Controllers/Data Processors)
  • If your organization is not operating in the EU, do you have an appointed representative inside the EU who will report to DPA any data breach that occurs and the names of people whose data were breached? (Data Controllers/Data Processors)
  • For Data Controllers, do you have a contract with data processors and subcontractors to make certain you are notified of any data breaches? (Data Controllers)
  • Does your organization have mechanisms that allow people to request access to their personal data, to update or amend it as required, to request the erasure or transfer of data to a different data processor? (Data Controllers/Data Processors)
  • Does your organization get consent prior to processing a person’s data, provide the chance to refuse personal profiling or automatic decision making that can affect them? (Data Controllers)
  • Lastly, does your organization include an itinerary for examining the efficiency of your GDPR To Do List, organizational compliance, modifications in managing data, and adjustments in your circumstance or legal responsibilities (for instance doing a DPIA for high-risk processing)? (Data Controllers/Data Processors)