If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at email@example.com.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
Preparing your business to support an international audience is a daunting process. Many think of the European Union’s General Data Protection Regulation (GDPR) as a big scary monster that lurks just out of reach, impossible to understand, much less conform to. The truth is, it will be a massive undertaking, and there is no rushing GDPR compliance. However, this world-changing regulation can be understood and well-prepared for.
Before you go rushing in to add haphazard consent forms and cookie banners to your website, you’ll need to do a full analysis of your data processing methods and databases to make sure that your business is ready to support GDPR compliance, from the inside-out.
You know by now that the GDPR will likely affect the way you do business, and there’s no avoiding it. But what makes it so impactful is the combination of international reach and massive fines for infringement. The GDPR is the first privacy regulation in history with the capacity to enforce both its stipulations and its monetary penalties on virtually any company in the world.
In short, if your business collects so much as an IP address from an EU resident, you will be required to comply with the GDPR.
Even if you are based in the USA, it would be hard to guarantee that no EU resident will ever stumble upon your website. In today’s global marketplace, the GDPR has international reach. With penalties for infringement reaching up to €20 million in administrative fines, compliance is a small price to pay.
In this article, we’ve put together a GDPR Readiness Checklist that will give your team direction as they examine every aspect of the business’s data processing practices, databases, security measures, and more. A GDPR Readiness Checklist is not to be confused with a GDPR Preparation Checklist, which is a list of the final actionable items that will need to be completed in order to achieve GDPR compliance.
Before you can even begin to check off a list of GDPR compliance guidelines, you will have to be intimately familiar with how your data processing is defined under the GDPR, if your security measures and data handling techniques are sufficient to satisfy GDPR standards, and which requirements will apply to your business.
Once you have completed the readiness checklist outlined below, your team will be well prepared and informed enough to begin checking off action items on the final GDPR Preparation Checklist (linked above).
For the purposes of this article, we will assume that your business is the data controller or owner of the personal data you process for data subjects (consumers). If you are a data processor handling data on behalf of the controller, many of the same steps will apply, but the roles and responsibilities may change. Be sure to establish and understand your responsibilities according to the role of your organization with regard to personal data processing.
Each section below presents a question that will need a thorough and complete answer before GDPR compliance preparation can begin.
This is possibly the most important and the most time-consuming part of any GDPR Readiness Checklist. It will be necessary to analyze every aspect of the personal data that your company collects, processes, and stores.
Here are some specific details that will need to be identified and evaluated:
Yes, that is a lot of information to gather. It will be time consuming, but once a data audit has been completed, many of the questions contained in the remainder of this readiness checklist will be easier to answer. You need to have a good grasp on all of the above before you can really take next steps.
It is not lawful to collect or process the personal information of EU residents without a valid legal basis for doing so. Before going any further, you have to establish which legal basis or bases are considered valid for the type of data processing your business performs. These are the six legal bases that the GDPR establishes as valid justification for processing consumer data:
If you’re not sure what legal bases your own data processing activities fall under, it would be advisable to consult with a Data Protection Officer (DPO) or privacy law expert to make sure your company is processing data under a lawful legal basis.
If consent is the legal basis your business uses for collecting and processing data, you may have some work to do.
Here are some requirements that the GDPR sets in order for consent to be considered valid:
If your methods for obtaining consent and processing data are not GDPR-compliant, processing or storing EU consumer data will not be considered lawful.
First, make sure the records you have on file were collected through valid consent methods. If not, a repermission campaign will be in order to update those records under a lawful legal basis. Then, you can begin the necessary infrastructure changes to ensure that personal information is collected through valid consent methods in the future.
To illustrate a GDPR-compliant consent method, check out this contact form from Sainsbury’s:
Here’s an example of a cookies consent dialogue from Mailchimp:
When the user clicks “Cookie Settings” they’re presented with options to accept or reject different kinds of cookies throughout the Mailchimp website:
Both of these companies are obtaining clear consent from users by using checkboxes, notices and settings options, which works towards GDPR compliance.
For example, the right to erasure may include erasing log files like IP addresses and geolocation data that are recorded as a visitor uses your website or service. Some log data would also need to be reproduced if a data subject requested a copy of the personal data you hold about them.
Depending on the infrastructure you use to collect and organize data records, fulfilling requests like these could be burdensome and time-consuming. Therefore, it’s important that your data protection team carefully study the rights that the GDPR grants EU consumers, and then review whether or not your current data management system can easily support upholding those rights.
These are the rights of all EU residents as defined by the GDPR:
Notice how users are also informed of how to make direct requests in regard to their consumer rights. That last detail will be integral in order to fulfill this GDPR requirement.
Security is a big issue in the GDPR. Data protection is expected to be integrated into business practices by design and by default. In fact, GDPR Article 32 goes into even further detail regarding the security of personal data processing:
That’s a lot of fine print, so here’s a summarized version:
Taking into account the type and quantity of personal data processing your company performs, data security and protection measures must be appropriate to meet the risks associated with handling the data.
Where appropriate and possible, these measures should incorporate the following:
The level of security should reflect the level of risk, especially by means of accidental loss, destruction, or alteration of data, as well as unlawful data loss, destruction, disclosure, or access
It may be appropriate to use established codes of conduct established by EU supervisory or GDPR-approved compliance certification standards to demonstrate proper data protection protocols.
Third-party data processors may only access and process personal information under the specific instructions of the data controller.
The GDPR makes it very clear that the level of data security must reflect the risk involved with the type and quantity of data processing that your company performs. Therefore, your first objective is to assess the risks involved with your data processing activities in order to determine the level and extent of data protection measures you will need to implement.
Some factors that would need to be considered in this assessment include:
Of course, there are many more factors that would be considered during an in-depth risk assessment. If your staff does not have the experience or expertise to accurately evaluate data security risks and the resulting security measures required to meet them, it may be necessary to hire a data security consultant to complete this step for you.
Once you have established the level of data protection and security that will be necessary to mitigate the risks of data processing, you will need to make the necessary organizational and technical changes within your data handling framework. This may require new or updated software systems, pseudonymization tactics, security monitoring techniques, or any number of other data protection technologies based on the way your business processes data.
Again, if your team does not have the expertise to complete this process themselves, a data security consultant could be helpful.
Finally, when the appropriate security system is established, create a Data Protection Policy (DPP) that can be used to educate everyone in your organization about data security standards and expectations.
A Data Protection Policy is an effective way to demonstrate to both employees and supervisory authorities that your company is serious about data protection. Some of the subject matter that may be covered in a DPP includes:
Take especial care with that last point. The way your staff handles a data breach could make the difference between a written warning or a massive fine from GDPR supervisory authorities.
Build a GDPR-compliant data breach notification policy and include it in your DPP. Make sure all employees are well-versed on the steps to take in the event of a data breach.
Business owners often assume that the rules regarding international data transfers only apply when sending personal data to a third country, but this is not the case.
If your company is based outside of the EU, you are technically performing an international data transfer every time you receive data from an EU resident on your website or mobile app.
In order to receive this data legally, first determine if your country has an ‘adequacy decision’ from EU authorities. If this is the case, then data transfers may proceed normally.
If not, check out some of these other options. You will need to implement one of the following safeguards:
If the data transfer is necessary to fulfill a legal obligation or at the request of an official public authority, like the government, you’ll be able to use this as a reason for legally making an international data transfer.
Here is another example from Airbus. This one lists binding corporate rules as the method by which data is transferred internationally:
As a data controller that collects EU consumer data, you will be legally required to establish Data Processing Agreements (DPAs) with any third-party data processor before sharing customer data with them.
This type of agreement will serve the following purposes:
Under certain circumstances, it may be necessary to perform a Data Protection Impact Assessment (DPIA) before launching a new project that involves data processing. In order to comply with the GDPR and save time for your data processing team in the future, it would be advisable to formulate a DPIA template ahead of time.
A standard DPIA will need to cover the following topics, according to Article 35 of the GDPR:
Lastly, before you can hope to execute a GDPR compliance program throughout your organization, the roles and responsibilities of data handling should be firmly established.
If you do not intend to appoint a DPO or EU Representative, it will still be important to determine who will be in chargeof data processing activities, data security, consumer privacy requests, and data breaches.
This will probably require a dedicated team of individuals who are well-trained in privacy, data security, and GDPR requirements. Make sure everyone in your organization understand the roles and responsibilities of your data processing team and who to go to with questions or concerns.
You can even offer different contact methods for people in different geographical regions as Evoko has done here:
Once you have answered all of the questions in this GDPR Readiness Checklist, your organization will be better prepared to implement a GDPR preparation and compliance action plan, and you’ll have a solid foundation to build your GDPR compliance upon.
This article was originally posted here: https://www.privacypolicies.com/blog/gdpr-readiness-checklist/