Achieving GDPR Compliance may seem complicated. This basic checklist will help you to see where your company stands and which areas should be further addressed in line with the GDPR.
If your organisation determines the purposes and means of the processing of personal data, it is considered acontroller. If your organisationprocesses personal data on behalf of the controller, it is considered aprocessor. It is possible for your organisation to have both roles. This list is far from a legal exhaustive document; it merely tries to help you to pinpoint the key GDPR requirements.
Read more: GDPR Article 7 – Conditions for consent
It should be written in clear and simple terms and not conceal it's intent in any way. Failing to do so could void the relationship or agreement with your customer entirely.
Read more: GDPR Article 7.2 – Conditions for consent
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Read more: GDPR Article 7.3 – Conditions for consent
For children you need to make sure a parent or legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the parent or legal guardian (and not by the child). In most countries a data subject is considered a child when younger than 16 years (please check per country).
Read more: GDPR Article 7 – Conditions for consent
You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed.
This is a list of the actual types (columns) of data being held (e.g. name, social security nr, address, telephone number, e-mail address, etc.). For each category, a source should be documented, the parties with whom this data is shared in - and/or outside the EEA (EU , Norway, Liechtenstein and Iceland), the purpose(s) of processing of this data, the retention periods and the technical and organizational security measures taken to protect personal data
This could be a list of databases (e.g. MySQL), but it could also include offline datastores (paper).
It should contain a reason for data processing, e.g. the fulfilment of a contract, consent of the data subject or a legitimate interest
Read more: GDPR Article 6 – Lawfulness of processing
A DPO is required in three scenarios: (1) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (2) the core activities of the business consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or (3) the core activities of the business consist of processing on a large scale special categories of data (sensitive data) pursuant to Article 9 and personal data relating to criminal convictions or offenses pursuant to Article 10. If a DPO is required, the DPO should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.
Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person.
In general, personal data breaches should be reported within 72 hours to the local authority. You should report which data has been lost, what the consequences are and what countermeasures you have taken. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (data subjects), you should also communicate and report the breach to the person (data subject) whose data you lost.Your company should have a data breach policy in place to assist the organization in determining the next steps in the case of a data breach, such as whether or not to notify the local data protection authority or data subjects ubjects involved.
The DPA should contain explicit instructions for the storage or processing of data by the processor. The DPA should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. For example, this could include a contract with your hosting provider. The same contract requirements apply when a processor engages a sub-processor to assist it in fulfilling processing activities on behalf of the controller
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. And where that is the case, access to that data.
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Read more: GDPR Article 16 – Right to rectification
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
Under certain conditions the data subject shall have the right to obtain from the controller restriction of processing
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Read more: GDPR Article 20 – Right to data portability
This is only applicable if your company uses profiling or any other automated decision making.
You should follow up on best practices and changes to the policies in your local environment.
This is only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases.