If your organization collects or processes the personal data of EU residents, it’s subject to the General Data Protection Regulation (GDPR). The GDPR enumerates multiple specific requirements for both data controllers (organizations that determine the purpose and means of processing personal data) and data processors (businesses that are responsible for processing data on behalf of a controller). In particular, to be GDPR compliant, you must collect only the minimum amount of data you need from customers and process personal data only on lawful basis.
Depending on scale of your business, you might want to seek the services of a third-party consulting agency for legal advice on what exactly is required to achieve compliance. However, based on GDPR guidelines, your top-level compliance checklist should, at a minimum, include the following:
- Hire a data protection officer or appoint a person to take on the DPO role — A data protection officer is responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. The data protection officer role is mandatory if any “special category” of data is processed or data processing is carried out by a public authority. If your company does not have an office in the EU, you must appoint an official representative in the Union.
- Perform a data privacy design assessment — Your processes need to be designed with privacy protection in mind and privacy must be applied by default whenever new products or services are released to the public. The best way to get started is to conduct a Data Protection Impact Assessment (DPIA): Inventory all of your processes that involve the collection, storage, use or deletion of personal data, and then assess how valuable or confidential the information is, and what damage or distress individuals might suffer in the event of a security breach. With a clear understanding of the privacy risks, you can begin to choose security measures, plan investments and activities, and prepare the necessary policies, procedures and documentation.
- Outline your data governance plan — Data governance involves assembling the people, processes and technologies required to consistently and properly handle data across the business.
- Get consent for data collection, retention & erasure — GDPR compliance requires ensuring transparency and giving consumers more control over their data.
- Document your compliance, auditing & record keeping techniques — Data controllers must be able to prove that their organization is in compliance with GDPR regulations. Make sure you have documented, lawful basis for storing and processing data.
- Outline and prepare for your data breach obligations — Data controllers are obliged to notify the supervisory authority within 72 hours of becoming aware of a data breach. Data processors must notify the relevant data controllers about every data breach. If a breach poses a high risk to data subjects, then they must also be informed unless effective protection measures, such as pseudonymization or full anonymization, were in place.
- Document your data protection measures — Auditors will want to see what controls you have implemented.
GDPR Audit Checklist
Your final General Data Protection Regulation audit checklist will depend on a variety of factors, including the scale of your operations, the amount and types of data you collect, and the results of your data protection impact assessment. However, here are the key things you need to do and questions to ask:
- Document the personal data you collect — “What data are we collecting?”
- Minimize what you collect — “Do we have a function for every piece of data?
- Understand your data flows — “Where are we storing the data?”
- Choose strong security measures — “How do we protect and document the data?”
- Refine your data retention policy — “How long do we keep the data?”
- Assess risks — “Do we have adequate cybersecurity measures in place to protect data?”
- Prepare for Data Subject Access Requests (DSARs) — “What is the process for honoring a request to delete, amend or access the data we store?” The rights of data subjects and your corresponding obligations are detailed below.
Upholding Data Subject Rights
Rights of Data Subjects
Organizations subject to the GDPR are required to uphold the following eight rights of data subjects upon request:
- The right to be informed — Individuals can require you to provide clear and concise information about what you do with their personal data.
- The right of access —Any data subject can require you to provide a copy of their personal data, along with supplementary information to help them understand how and why you are using their data and check whether you are doing so lawfully.
- The right to rectification —Individuals have the right to have inaccurate personal data rectified. Depending on the purposes of data processing, individuals might also have the right to require that incomplete personal data be completed (for example, by adding a supplementary statement).
- The right to erasure (right to be forgotten) — Individuals have the right to have their personal data erased. The right is not absolute and applies only in certain circumstances.
- The right to restrict processing —The GDPR gives individuals the right to limit how an organization may use their data.
- The right to data portability —Individuals have the right to receive the personal data they provided to a controller in a structured, commonly used and machine-readable format. They can also request that the controller transmit this data directly to another controller.
- The right to object —Individuals may object to the processing of their personal data at any time, and the controller must stop processing it.
- Rights in relation to automated decision-making during the processing of personal data — Individuals have the right to not be subject to decisions that are based solely on automated processing (such as profiling) that have a legal effect on them.
You should make it easy for data subjects to exercise these rights, either by providing a self-service page with clear buttons and options, or via direct request.
Another critical step in upholding your legal obligations to data subjects is to make the following information publicly available in clear, easy-to-understand language:
- Data retention policy — Make it clear that you never store data for longer than necessary for the purposes for which it was collected. Make sure you automatically delete or anonymize personal data that is no longer needed.
- Terms of data transfer to other countries — Explain under what conditions you allow international transfers of personal data.
- Data protection policy — Explain how personal data will be protected in compliance with the GDPR.
- Contact information — Provide your organization’s legal address, as well as details for contacting your data protection officer (if you have one).
Registration Page Checklist
Keep the following requirements in mind when designing your registration page:
- The number of fields must be minimal and reasonable.
- It must be clear to data subject what they are consenting to. You must give them granular control over what marketing materials they receive from you, not just lump all consent into one checkbox. You need a separate checkbox if you want to enable users to subscribe to a mailing list.
The following documents are required:
- Personal data protection policy
- Inventory of processing activities
- Security incident response policy
- Data breach notification form to the supervisory authority
- Data breach notification form to the data subjects
- Data retention policy
The following policies can be combined in a single information governance policy:
- Data disposal policy
- Backup and business continuity policy
- System access control policy
- SLA and escalation procedures
- Cryptographic control policy
- Disaster recovery and business continuity policy
- Coding standards and roll-out procedure
- Employment policy and processes
- User termination policy
- Audit policy
- Risk assessment policy
- Awareness & training policy
Data Protection Checklists
The GDPR does not specify particular security controls for compliance, but it does require you to honor the principle of data protection by design and by default. The following checklists will help you implement appropriate technical and organizational measures and practices.
Technical Data Protection Checklist
- Network security — Network security design, firewalls, VPN access
- Encryption for data at rest — Whole disk encryption, database encryption
- Encryption for data in transit — HTTPS, IPSec, TLS, PPTP, SSH
- Access controls (physical and technical):
- Intrusion prevention and detection
- Health monitoring
- Regular backups
- Backup encryption
- Multifactor authentication, strict authorization
- Antivirus solution
- Regular infrastructure scans
- Software installation policy, software update policy, equipment upgrade policy
Organizational Data Protection Checklist
- Due diligence — Your security measures are moot if you pass data to third parties who cannot guarantee data protection. Thoroughly checking your suppliers and service providers is as important as internal audits and reporting.
- Reviews & audits — To ensure that your policies and procedures are effective, you should conduct regular policy reviews and audits.
- Awareness & training — You need to ensure that your employees and contractors are aware of legal risks and have proper skills.
- Management information & reporting — Regular reports to senior management are essential to enterprise-wide accountability, as well as for obtaining adequate funding and other resources for GDPR compliance.