GDPR compliance checklist: Is your organisation GDPR-ready?

Make sure your organisation is GDPR-compliant now the 25 May deadline has passed

It won't be long until the European Union's (EU's) General Data Protection Regulation (GDPR) will have been in force a year.

Organisations have found that, since GDPR came into force on 25 May last year, compliance never was an overnight prospect, rather an ongoing one that requires a firm's data governance practices to be continuously reviewed. Indeed, various surveys have since emerged showing that a swathe of organisations do not consider themselves to be fully GDPR-compliant, particularly when it comes to fulfilling Subject Access Requests (SARs) for instance.

Advertisement - Article continues below

The Information Commissioner's Office (ICO), and its European counterparts will, in 2019, begin taking serious regulatory action as more violations emerge, and the small backlog of incidents in the back-end of 2018 are finally examined. Firms must, therefore, stay on their toes and ensure all aspects of their organisations are complying with the toughest set of data regulations ever construed.

That isn't to say the ICO and other regulators will hit you with the biggest fine possible. This is far from reality, with the UK data regulator admitting that any GDPR violations will be assessed and judged taking a wide variety of factors and contextual information into consideration. That means any measures your company takes to protect data and manage it properly will be marked in your favour if you suffer a breach.

Advertisement - Article continues below

But GDPR's everlasting nature, and the unpredictable threat landscape means your company's data practices must be examined and re-assessed in a timely way, as the regulations also move forwards and new aspects emerge through 'case law'.

Advertisement - Article continues below

The UK's departure from the EU might also complicate matters, with the Data Protection Act 2018, enshrining GDPR into UK law, coming into force.

And yet, according to the ICO, leaving the EU without a withdrawal deal may lead to widespread disruption, affecting data flow and international transfers. The UK regulator released extensive guidance to this effect, advising businesses what measures they can take to avoid disruption and carry on into April 2019 as smoothly as possible.

Under GDPR, companies need to ensure they are conducting themselves to the highest standards when handling personal data and sending communications. The regulations also outline specific precautions organisations must take, and changes to their organisational structure, which aim to promote best practice, as well as outlining the steps an organisation must take after suffering a breach.

While a great deal of GDPR concepts and notions are included in the now-defunct Data Protection Act (DPA) 1998, there are many new aspects and more rigorous standards that can catch out any company trying to get through compliance measures as fast as possible.

Advertisement - Article continues below

The ICO advocates that organisations use their present efforts in compliance as a starting point from which they can build on. But what precisely does compliance with GDPR mean? Here we look at the basics, so you know what to do and tick them off your extensive GDPR checklist.

IT and data governance

Audit all the information your organisation holds: You must set up a list of the personal data you hold and arrange it by type, i.e. names, addresses, phone numbers, and so on. You must also provide a source for each separate piece of information documented.

Advertisement - Article continues below

Determine why you hold the information you do: GDPR requires you to establish a legal basis for collecting data, which you will need to outline in your privacy policy. Determining how and why you use data, for your own reference, will make it easier to communicate this to your customers. We go into consent lower down, but it's not the most reliable basis for collecting data considering users can withdraw that consent at any time, so it's worth considering your options.

Advertisement - Article continues below

Establish how you store data, and who it's shared with: This could be a list of internal databases, but could also include offline stores and third-party storage providers. You must establish which parties you share your data with so that if you need to delete or amend that data, you can inform an associate organisation that they must also update their records.

Document how data is processed: Organisations will need to outline all processing activities, including keeping the name and contact details of the data processors, as well as the categories of processing carried out - and the transfers of personal data to an 'adequate' third country (one that is outside the European Economic Area, but whose data protection measures are deemed adequate for data transfers) or international organisation.

Customer awareness

Revamp your privacy policy: Organisations must write a clear and understandable privacy policy that is publicly accessible on their websites. This must clearly stipulate your lawful basis for data collection and processing in concise, easy to understand and clear language. Clear communication will help to build long-term customer trust in your organisation.

Advertisement - Article continues below

Refresh existing consents if necessary: Consent must be given freely, as well as being specific, informed and unambiguous; hinging on a positive opt-in. Under GDPR, you can't rely on pre-ticked boxes or opt-outs, nor bundle in consent with agreement to other terms and conditions. You must explain clearly and specifically why you're collecting certain data and what that data will be used for, plus which third-party controllers will be able to use that consent. You also need to make clear that users can withdraw their consent down the line, and make it easy for them to do so.

Advertisement - Article continues below

You should also keep consents separate - if you're asking users to agree for you to do different things with their data, you'll need to ask for their consent to each of these things. Although you won't necessarily need to refresh all existing consents gathered pre-GDPR, if you rely on consent to process data, you will have to ensure existing user consents meet these higher GDPR standards, or be ready to re-consent them.

Advertisement - Article continues below

Highlight any third-party processors: Your customers and users need to be informed of the use of any third-party data processors or controllers, to which they should consent by accepting your privacy policy. Third-parties will need to respect your data subjects' rights just as strictly as your own organisation, and their involvement in processing data must be rigorously documented.

Maintaining your customers' rights

Respect new and existing rights: You should examine your procedures to ensure they cover the new and existing rights customers have - including how you plan to delete personal data, or provide data on request.

Fulfilling Subject Access Requests (SARs): People's requests to access the data you hold on them must be fulfilled within a month, instead of 40 days, and data must be provided in a structured, commonly-used format, and you cannot charge a fee. Consider implementing a system for users to easily access their own data online, to reduce the pressure on staff handling a large number of SARs.

Advertisement - Article continues below

Right to rectification, restriction, and erasure: The new legislation outlines how users have more control over their personal data. The key to respecting these rights lies in understanding how your organisation plans to handle the flow of requests to amend any data inaccuracies, to comply with a demand that you stop processing someone's data, and to erase any personal data you hold on a subject, or move it to another organisation at their request.

Internal awareness and accountability

Implement staff training: A great many data breaches are inadvertent, and involve a degree of human error by staff with access to internal systems. Training all your staff to be aware of how GDPR affects their daily work not only maximises your organisation's chances of full compliance, but minimises any risk of suffering data loss or theft.

Educate decision-makers: Setting up an accountability and governance framework, involving executives and senior members of staff in your organisation, is key to compliance. Involving senior staff is not only important in budgeting for the compliance process, but for identifying the areas that may be at risk, and ensuring each department has a specific readiness plan to execute.

Advertisement - Article continues below

Appoint a Data Protection Officer (DPO):  Your organisation must designate a DPO with the responsibility for data protection compliance if you carry out regular and systematic monitoring of individuals at scale, or large-scale processing of special categories of data, such as health records. The DPO must have the right knowledge, support and authority to carry out their duties effectively.

Carry out a Data Protection Impact Assessment (DPIA): DPIAs are mandatory for certain organisations in cases where a new technology is being deployed, a profiling operation is likely to affect customers, or where there is processing of special categories of data on a large scale. DPIAs help to should establish how risky certain data processing activities are. Your organisation should consider where DPIAs are necessary, if at all, and how you run the process. The ICO has some useful advice about when and how to perform one.

Reporting data breaches: Any breaches involving personal data must be reported to the ICO within 72 hours - including what data has been lost, any consequences, and what countermeasures you've taken. Any loss in non-encrypted personal data must also be communicated to the data subjects involved. It's vital to cooperate with authorities as fully as possible to both minimise the scope for suffering penalties, and to ensure your reputation does not suffer any undue damage.

Pictures: Shutterstock



data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
flexible working

Why we’re lucky COVID-19 has come now

3 Apr 2020