Solutions

GDPR Checklist

GDPR Checklist for data controllers/business owners

Are you up to date with GDPR? Our GDPR checklist can help you secure your organization, protect your customers’ data and avoid expensive fines for non-compliance.

To understand the GDPR checklist, it is also useful to know some of the terminology and the basic structure of the law. You can find this information on our page “What is GDPR?” Please note that nothing on this page constitutes legal advice. We recommend that you speak to a lawyer who specializes in GDPR compliance and who can apply the law to your particular circumstances.

GDPR Checklist

Legal basis and transparency

(Organizations that have at least 250 employees or carry out high-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be ready to show this list to the supervisory authorities on request. The best way to demonstrate GDPR compliance is Organizations with fewer than 250 employees should also carry out an assessment as it will make it easier to comply with the GDPR’s other requirements access to it within your organisation, any third parties (and where they are located) who have access, what you are doing to protect the data (eg encryption) and when you plan to delete it (if possible).

According to the GDPR, all organizations that process personal data must have a legal basis for doing so. There are several possible legal grounds that can justify the processing of personal data, e.g. Consent: If you have obtained consent from the data subject to process their data for the specific purpose, this may be a lawful

You must inform people that you are collecting their data and why. You should explain how the data is processed, who has access to it and how you secure it. This information must be included in your privacy policy and provided to the data subjects at the time you collect their data. It must be presented “in a concise, transparent, understandable and easily accessible form using clear and simple language, especially if the information is specifically addressed to a child.”



Data security

You must follow the principles of “data protection by design and by default,” including implementing “appropriate technical and organizational measures” to protect data. In other words, data protection must now be something you always have to consider when processing other people’s personal data. You must also ensure that any processing of personal data complies with the data protection principles described in Article 5 on gdpr.eu. Technical measures include encryption, and organizational measures include things like limiting the amount of personal data you collect or deleting data you no longer need. The point is that it must be something you and your employees are always aware of.

Link to article 5



 

Most productivity tools that businesses use are now available with end-to-end encryption built in, including email, messaging services, notes and cloud storage. GDPR requires organizations to use encryption or pseudonymisation where possible.

Even if your technical security is strong, operational security may still be a weak point. Create a security policy that ensures your team members are aware of data security. It should include guidelines on email security, passwords, two-factor authentication, device encryption and VPNs. Employees who have access to personal data and non-technical employees should receive additional training on GDPR requirements.

A data protection evaluation (also known as privacy impact assessment) is a way to help you understand how your product or service may threaten your customers’ data and how you can minimize these risks. The UK Information Commissioner’s Office (ICO) has a data protection assessment checklist on their website. The GDPR requires organizations to carry out this type of analysis when they plan to use people’s data in a way that is “likely to result in a high risk to their rights and freedoms.” The ICO recommends doing it every time you have to process personal data.

Link to Data protection impact assessment



 

If there is a data breach and personal data is exposed, you must notify the supervisory authority in your jurisdiction within 72 hours. A list of many of the EU member states’ supervisory authorities can be found at gdpr.eu. The GDPR does not specify who you must notify if you are not an organization based in the EU. For those in English-speaking non-EU countries, it may be easiest to notify the Office of the Data Protection Commissioner in Ireland. You are also required to promptly inform the affected data subjects of data breaches, unless the breach is unlikely to put them at risk (for example, if the stolen data is encrypted).



Accountability and governance

Another part of “data protection by design and by default” is to ensure that someone in your organization is responsible for GDPR compliance. This person should be empowered to evaluate data protection policies and the implementation of these policies.

This includes all third-party services that handle personal data of your data subjects, including analytics software, email services, cloud servers, etc. The majority of services have a standard data processing agreement available on their websites for you to review. These agreements describe the rights and obligations of each party in relation to GDPR compliance. You should only use third parties that are reliable and can provide adequate guarantees of data protection.

If you process data relating to individuals in one particular member state, you must appoint a representative in that country who can communicate on your behalf with the data supervisory authorities. The GDPR and its official supporting documents do not provide guidance in situations where the processing affects EU citizens across multiple member states. Until this requirement is interpreted, it may be wise to appoint a representative in a member state that speaks your language. Some organisations, such as public bodies, are not obliged to appoint a representative in the EU.

There are three circumstances in which organizations are required to have a Data Protection Officer (DPO), but it’s a good idea to have one even if the rule doesn’t apply to you. The DPO must be a data protection expert whose task is to monitor GDPR compliance, assess data protection risks, advise on data protection evaluations and cooperate with supervisory authorities. Read more about it here

Link to DPO



 



Privacy policy

People have the right to see what personal information you have about them and how you use it. They also have the right to know how long you plan to keep their information and the reason for keeping it for that period. You must send them the first copy of this information free of charge, but may charge a reasonable fee for subsequent copies. Make sure you can confirm the identity of the person requesting the data. You should be able to accommodate such requests within one month.

Do your best to keep data up-to-date by establishing a data quality process, and make it easy for your customers to view and update their personal information for accuracy and completeness. Make sure you can confirm the identity of the person requesting the data. You should be able to meet requests according to within a month.

Link to article 15
Link to article 16



 

People generally have the right to ask you to delete any personal data you hold about them, and you must comply with their request within approximately one month. There are five reasons you can decline the request, such as exercising freedom of expression or complying with a legal obligation. You should also try to verify the identity of the person making the request.

Your data subjects can request to limit or stop the processing of their data if certain reasons apply, mainly if there are doubts about the lawfulness of the processing or the accuracy of the data. You are required to comply with their request within approximately one month. While the processing is limited, you are still allowed to keep their data. You must notify the data subject before you start processing their data again.

This means that you must be able to send their personal data in a commonly readable format (eg a spreadsheet) either to themselves or to a third party that they appoint. This may seem unfair from a business perspective, as you may have to hand over your customers’ data to a competitor. But from a privacy perspective, the idea is that people own their data, not you.

If you process their data for direct marketing purposes, you must immediately stop the processing for this purpose. Otherwise, you may be able to challenge their objection if you can demonstrate “compelling legitimate reasons.

Some types of organizations use automated processes to help them make decisions about people that may have legal or “equally significant” consequences. If you believe that this applies to you, you must set up a procedure to ensure that you protect their rights, freedoms and legitimate interests. You need to make it easy for people to request human intervention, voice their opinion on decisions, and challenge decisions you’ve already made.

Success!

Congratulations! If you have dutifully worked to the bottom of the GDPR checklist, then you have significantly limited your exposure to regulatory sanctions.

Finally, we want to remind you once again that this checklist is in no way legal advice. There are dozens of provisions in the GDPR that only apply in rare cases, which would be counterproductive to cover here. You should check with a lawyer to ensure your organization is fully GDPR compliant.

033-document-1.png
Contact us

Cooperate with us to get comprehensive IT security

We will be happy to answer all your questions and help you find the services that best suit your needs.

My advantages:

What happens next?

1

We’ll arrange a call when it’s convenient for you

2

We conduct a discovery and advisory survey

3

We are preparing a proposal

Book a free consultation

Contact EN
First
Last