10 Points Checklist for GDPR Compliance
Companies are working hard to comply with the GDPR, as the EU General Data Protection Regulation is soon to be implemented. Companies are racing to take all necessary steps to ensure that personal data is protected as the May 2018 deadline approaches. GDPR requires that personal data be collected legally by organizations in strict conditions. It also requires companies to ensure data security and protection to prevent misuse or exploit.
These 10 key points will help you become GDPR-compliant before the deadline
Point 1: Learn about GDPR and its impact on your company.
GDPR is the EU’s General Data Protection Regulation. This replaces the Data Protection Directive 95/46/EC. It was created to reconcile European data privacy laws and protect EU citizens’ data privacy by transforming how organizations collect, manage and use personal data.
GDPR, which came into effect on the 25th May 2018, has a significant impact on companies and customers. It applies to all organizations that operate within or outside of the EU and offer goods or services to EU businesses or individuals. This shows that nearly all major businesses worldwide should be GDPR-ready by May 2018. They should also plan and implement a GDPR compliance strategy to avoid heavy fines of up to 4 percent of global turnover or 10 million euros to 20 millions euros.
Point 2: Document all personal data processed by the company.
All records of processing activities within an organization must be documented and maintained under GDPR. This includes the source of data and its usage. The organization must submit regular reports (RPA) listing the processing activities.
Point 3: Inform all parties concerned via privacy notice
Every organization must send an information privacy notice to all individuals whose data it holds and uses. This privacy notice explains what, how and why the data was obtained and details any personal data transfers to countries outside of the EEG.
Point 4: Ensure data processing respects individual data protection rights.
Once all data has been sorted and managed properly, it is important to review legal procedures for personal data in order to verify compliance with the GDPR. All processing activities must be justifiable and comply with the personal data protection rights.
Point 5: Procure consent under regulation guidelines.
You must review the appropriate methods to obtain, record, and manage your customer’s consent in order to justify data proceedings. This regulation requires that the consent of the customer must conform to the new GDPR standards.
Point 6: Address subject access requests
To respond to requests for subject access, the appropriate procedures must be updated in accordance with new compliance rules. Most companies don’t charge for complying to a request. Companies will now have one month to comply with requests instead of the 40-day request period.
Step 7: Examine outsourcing contracts for data processing.
To comply with the GDPR, companies that work with data processors should review their outsourcing contracts. These contracts must be presented to the relevant data protection authority if a company that offers cloud services is not able to own them.
Step 8: Identify a data protection officer.
A company might need to appoint a DPO (data protection officer), who would be responsible for GDPR compliance. To ensure compliance with the GDPR, the DPO reports to the company’s highest authority. Savings can be made by having a virtual DPO.
Step 9: Evaluate the data protection impact.
Analyze the data processing activities and all data collected. Note the details of each activity, including software used, and the measures taken to protect data by design. You can be confident that there are no data security breaches or vulnerabilities.
Perform an assessment of all activities that could pose high risk and identify the best ways to reduce them.
Step 10: Manage data breaches efficiently
The company must have effective procedures in place to handle data breaches. Third-party partners must also adhere to the same standards. The breach procedures must include the identification and investigation of data breaches, as well as the assessment of the consequences for the company and the data subject. Within 72 hours of the breach, notify the Supervisory Authority.