General Data Protection Regulation Compliance Checklist
GDPR Compliance Checklist
General Data Protection Regulation (GDPR) already took effect on 25 May 2018. The new regulation will cover all business entities who are collecting & processing personal data from EU citizens. Most of companies have already started GDPR compliance while some of them are still on preparing. Today, we will give you a checklist to help you understand the main parts of the compliance. You will gain an understanding of where your company’s gaps are toward to the compliance, also to know how to meet the GDPR requirements.
- Corporate Governance
- Carry out privacy impact assessments (PIAs)
A privacy impact assessments/PIA (also known as “data protection impact assessment” or DPIA) is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks. Many companies carry out PIAs as a matter of routine.
PIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm - to individuals or to society at large, whether it is physical, material or non-material.
- Data Protection Officer (DPO)
The GDPR introduces a duty for an organization to appoint a data protection officer (DPO) if it is a public authority, or if it carries out certain types of processing activities. DPO assist a company to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding PIA and act as a contact point for data subjects and the supervisory authority.
- Staff Training
GDPR explicitly requires all companies that deal with or collect personal data to have staffs training in place. It is thus required to create a training plan to ensure staffs who handle personal data of other staffs or customers handle it in accordance with GDPR. In addition, companies will now be required to evidence their compliance with GDPR and therefore staff training plan and the recording and monitoring of staff training will be a vital aspect of evidencing that your company is complying with the GDPR.
- Codes of Conduct and Certification Mechanisms
Codes of conduct may be created by trade associations or representative bodies. Signing up to a code of conduct or certification scheme is not obligatory. But if an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to consider working towards it as a way of demonstrating that you comply.
- Key Issues Regarding Data Subjects
- Lawful basis for processing
The processing of personal data is only lawful if it is permitted by the GDPR. In other words, companies must have at least one lawful reason for processing, which can include the individual’s consent, contractual necessity, legal obligation, regulatory requirements or public interests.
Consent is one of the lawful bases for processing the personal data. Please make the consent request prominent, concise, separate from other terms and conditions, and easy to understand. The website must ask users to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate options to consent to different purposes and different types of processing. The website must provide means to the user so that they can withdraw his or her consent for anything.
A child’s personal data merits particular protection under the GDPR. Please identify whether you process personal data of children. If data relating to a child will be processed, ensure that notices directed at that child are “child-friendly” and if consent is relied upon, you have implemented a mechanism to seek parental consent.
- Privacy notices—staffs
GDPR puts higher requirements on the privacy notices provided by employers to employees, especially in terms of the personal data (employee information the employer holds about them, how it used, and with whom the information is shared). Employers can deliver privacy notices to their staff in whatever ways are most appropriate. Employers should also consider whether it is appropriate to have different, tailored privacy notices for different types of individual in your business.
- Privacy notices—customers
GDPR imposes new requirements on companies so that they provide customers with a series of rights towards data, such as right of erasure, right of portability etc. Companies should use clear, straightforward language, and adopt a simple style so that their audience will find easy to understand. Use words evidencing customers’ rights in GDPR is a must.
- Data breaches procedures
The GDPR introduces a duty on all companies to report certain types of personal data breach to the relevant supervisory authority. companies must do this within 72 hours of becoming aware of the breach, where feasible. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. In addition, they should inform individuals concerned directly as soon as possible.
- Security/technical measures to protect data
The GDPR requires companies to process data securely, and provides more specifics about it. Therefore, companies should choose their technical measures based on the nature, scope, context and purposes of companies’ processing, and the risks posed to individuals. In addition, no matter what types of security measures, companies are required to have process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place.
When considering physical security, you should look at factors such as:
the quality of doors and locks, and the protection of your premises by such means as alarms or CCTV;
how you control access to your premises, and how visitors are supervised;
how you dispose of any paper and electronic waste; and
how you keep IT equipment, particularly mobile devices, secure.
When considering cybersecurity, you should look at factors such as:
system security – the security of your network and information systems, including those which process personal data;
data security – the security of the data you hold within your systems, eg. ensuring appropriate access controls are in place and that data is held securely;
online security – e.g. the security of your website and any other online service or application that you use; and
device security – including policies on Bring-your-own-Device (BYOD) if you offer it.
- Data Export (International)
- Cross-border data flows
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. Companies should firstly identify all cross-border data flows and review data export mechanisms, and then update cross-border mechanisms if necessary based on the requirement under GDPR.
- Additional global data privacy compliance requirements
For companies which transfer personal data outside the European Union, it is better to consider the applicability of other requirements besides GDPR to get better prepared to international data protection (for example, whether there are differences among data protection requirements in different countries).
- This Checklist presumes that a company processes both employee and customer personal data, including special categories of personal data.
- While specialized focus areas can trigger additional regulatory compliance obligations (e.g., healthcare, finance, education), the checklist concentrates on commonalities.
- We recommend that you consult with expert counsel to customize any plan for your organization’s unique needs.
Dewit Law Office, established in 1945, is headquartered in Brussels, Belgium. Dewit Law Office has always provided professional legal services to clients and dealt with a number of cases throughout Europe. As a member of SILFA, Dewit Law Office has a long-term relationship with law firms spanning the Netherlands, Luxemburg, France and Germany and provides efficient legal services to clients there.
Dewit Law Office established their Beijing office in 2009, where they not only provide legal services for European clients, but also assist Chinese firms when it comes to developing their business in Europe.