Key HIGHLIGHTS GDPR compliance
Achieving GDPR Compliance may seem complicated. This basic checklist will help you to see where your company stands and which areas should be further addressed in line with the GDPR.
If your organisation determines the purposes and means of the processing of personal data, it is considered acontroller. If your organisationprocesses personal data on behalf of the controller, it is considered aprocessor. It is possible for your organisation to have both roles. This list is far from a legal exhaustive document; it merely tries to help you to pinpoint the key GDPR requirements.
If your website collects personal datain some way, you should have an easily visible link to your privacy policy and confirm that the user is informed on your terms and conditions. In general, consent requires an affirmative action, so pre-ticked boxes are not permitted. Examples are:subscribing for a newsletter or asking consent for the use of cookies.
Read more: GDPR Article 7 – Conditions for consent
It should be written in clear and simple terms and not conceal it's intent in any way. Failing to do so could void the relationship or agreement with your customer entirely.
Read more: GDPR Article 7.2 – Conditions for consent
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Read more: GDPR Article 7.3 – Conditions for consent
For children you need to make sure a parent or legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the parent or legal guardian (and not by the child). In most countries a data subject is considered a child when younger than 16 years (please check per country).
For example, by emailing upcoming changes of your privacy policy or by showing a banner on your website. Your communication should explain in a simple way what has changed.
Read more: GDPR Article 7 – Conditions for consent
You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed.
Read more: GDPR Article 5 – Principles relating to processing of personal data
This is a list of the actual types (columns) of data being held (e.g. name, social security nr, address, telephone number, e-mail address, etc.). For each category, a source should be documented, the parties with whom this data is shared in - and/or outside the EEA (EU , Norway, Liechtenstein and Iceland), the purpose(s) of processing of this data, the retention periods and the technical and organizational security measures taken to protect personal data
Read more: GDPR Article 30 – Records of processing activities
This could be a list of databases (e.g. MySQL), but it could also include offline datastores (paper).
Read more: GDPR Article 30 – Records of processing activities
You should include information about all processes related to the handling of personal data. This document should include (or have links to) the types of personal data the company holds, and where it holds them. Please note, this is an internal company privacy policy and not a privacy statement as communicated to customers and other data subjects as set out above.
Read more: GDPR Article 30 – Records of processing activities
It should contain a reason for data processing, e.g. the fulfilment of a contract, consent of the data subject or a legitimate interest
Read more: GDPR Article 6 – Lawfulness of processing
A DPO is required in three scenarios: (1) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (2) the core activities of the business consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or (3) the core activities of the business consist of processing on a large scale special categories of data (sensitive data) pursuant to Article 9 and personal data relating to criminal convictions or offenses pursuant to Article 10. If a DPO is required, the DPO should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.
Read more: GDPR Article 37 – Designation of the data protection officer
Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.
Read more: GDPR Article 25 – Data protection by design and by default
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Read more: GDPR Article 25 – Data protection by design and by default
If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person.
Read more: GDPR Article 27 – Representatives of controllers or processors not established in the Union
In general, personal data breaches should be reported within 72 hours to the local authority. You should report which data has been lost, what the consequences are and what countermeasures you have taken. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (data subjects), you should also communicate and report the breach to the person (data subject) whose data you lost.Your company should have a data breach policy in place to assist the organization in determining the next steps in the case of a data breach, such as whether or not to notify the local data protection authority or data subjects ubjects involved.
Read more: GDPR Article 33 – Notification of a personal data breach to the supervisory authority
GDPR Article 34 – Communication of a personal data breach to the data subject
The DPA should contain explicit instructions for the storage or processing of data by the processor. The DPA should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. For example, this could include a contract with your hosting provider. The same contract requirements apply when a processor engages a sub-processor to assist it in fulfilling processing activities on behalf of the controller
Read more: GDPR Article 28 – Processor
GDPR Article 29 – Processing under the authority of the controller or processor
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. And where that is the case, access to that data.
Read more: GDPR Article 15 – Right of access by the data subject
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Read more: GDPR Article 16 – Right to rectification
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
Read more: GDPR Article 17 – Right to erasure (‘right to be forgotten’)
Under certain conditions the data subject shall have the right to obtain from the controller restriction of processing
Read more: GDPR Article 18 – Right to restriction of processing
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Read more: GDPR Article 20 – Right to data portability
This is only applicable if your company uses profiling or any other automated decision making.
Read more: Article 22 – Automated individual decision-making, including profiling
You should follow up on best practices and changes to the policies in your local environment.
Read more: GDPR Article 25 – Data protection by design and by default
This is only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases.
Read more: GDPR Article 35 – Data protection impact assessment
You should also disclose these cross-border data flows in your privacy policy.
Read more: GDPR Article 45 – Transfers on the basis of an adequacy decision
- Is the processing of personal data lawful?
- Can the controller demonstrate consent (if required) for the processing of personal data?
- Are special categories of personal data processed?
- Are data subjects aware of their rights?
- Are appropriate technical and organisational measures implemented to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR?
- Does the controller keep a record of all data processing activities?
- Is a Data Privacy Officer required?
- Does the controller need to carry out a Data Processing Impact Assessment?
- Does the controller make use of controllers for the data processing and if so, are data the data processing’s governed by a data processing agreement?
- Does the controller transfer personal data outside the EU?
- Do the website of the controller and the applicable documents, such as privacy- and cookie statement and opt-ins (if necessary) for the processing of personal data comply with the GDPR and other local regulations?
- Are appropriate technical and organisational measures carried out to ensure a level of security appropriate to the risk of data processing and does the controller have a security policy in case of breaches?
