General Data Protection Regulation (GDPR) came into effect on 25 May 2018 to implement a stricter law for data protection across the EU member states. Soon organizations, irrespective of its location, that processes the data of EU citizens (data subjects) were left wondering about it. The Regulation consists of 99 articles and 173 recitals. Read our guide to GDPR for more information.
Complying with the Regulation is an uphill task, and it will take considerable time to prepare. This article provides a simple checklist to see if you are GDPR-ready!
¨ Document what type of personal data you hold, its source, who it will be shared with, where it is stored, and for how long.
¨ Document the intended purpose of storing and using the data.
¨ Perform an audit to map the data flow.
¨ Your processing activities meet all the GDPR principles:
- Process data lawfully, fairly, and in a transparent manner.
- Data is processed only for the intended purpose.
- Collect data required for the processing only
- Data is accurate and up to date.
- Data is not kept longer than necessary
- Data collected is kept safe.
- Able to justify your compliance with the GDPR.
¨ Identify and document your lawful basis of processing:
- explicit consent from the data subject;
- contractual obligation;
- legal obligation;
- vital interest of the data subject or another person;
- a public task or you are a public authority;
- your legitimate interest.
¨ The processing will not put the fundamental rights and freedom of the data subject at risk.
If the processing is based on consent:
¨ The consent is freely given, specified, informed, and unambiguous.
¨ The consent request is written in a clear and understandable language.
¨ It’s easy to withdraw consent as it was to grant it.
¨ The data subject is aware of the opt-out option before giving consent.
¨ Log all the consent status.
¨ Ask for parental consent for children below the age of 16 years.
¨ Refresh consent in case the existing one does not fulfil the GDPR requirements.
¨ Stop the data processing if the consent is withdrawn.
¨ Regularly review the policy.
¨ It’s easy for the data subjects to request and exercise their rights:
- inform what type of personal data you hold, its source, the purpose, who it will be shared with, where it is stored, and for how long;
- give access to the personal data;
- rectify inaccurate and outdated data;
- restrict the processing of data;
- transfer data back to them or another controller;
- object processing of data; and
- use manual methods instead of automated machines to process their data.
¨ Proper measures are in place to respond to the requests without any undue delay.
¨ Security measures are taken from the beginning of a process to the end.
¨ Everyone in the organization is aware of the security policy.
¨ Apply data masking techniques such as pseudonymisation and encryption, to protect personal data.
¨ Carry out DPIA before processing personal data.
¨ Analyse and document all the possible risks and measures to address them.
¨ Appoint DPO if you deal with large-scale processing of data.
¨ Provide the contact information of the DPO to supervisory authority and data subjects.
¨ Adequate measures are in place to identify, report, and tackle data breaches.
¨ Notify the supervisory authority within 72 hours of the breach.
¨ Notify the affected data subjects and advise an action plan.
The data matters. You must take all necessary steps to protect it and give the data subjects more control over their personal data.