GDPR Checklist: 13 Steps to Compliance
Are you ready for the new European Personal Data Policy? We recently put together a post summarizing how the GDPR will impact your business.
But practice beats theory, so we have prepared a checklist with the questions you should ask yourself to make sure you become compliant with the new regulation.
If you need help for any of the points in the GDPR checklist, feel free to get in touch. We are ready to guide you through the process.
Already started? Scroll down to your current stage of compliance:
- Create awareness and responsibility
- Conduct an assessment and information audit
- Make a GDPR compliance plan
- Implement and test data subject requests
Create GDPR Awareness and Responsibility
1. Assign a Data Protection Officer in your company to get familiar with the new law and understand how it applies to your unique set up.
The GDPR document is hundreds of pages long, and poses a big challenge both for 3-man band small businesses and corporate behemoths with their own legal department.
Depending on your size and resources, this might be a specialist new hire or an internal employee with a high-level view of systems, processes and teams, as the regulations are likely to affect multiple departments.
Some companies are required to employ a Data Protection Officer. Find out more here.
2. Make sure key internal people are informed early on of the impending law change
The team should understand the impact the implementation could have on resources, and the repercussions of not complying
Conduct a data assessment and information audit
3. Find out what PII (Personal Identifiable Information) you are collecting
- Is it only generic information?
- Or do you also collect sensitive information (ethnic data, children’s data, medical or biometric data)
4. Identify where you are collecting it
Draw a map of all the data collection points to help you with this. List all contact forms, manual data input channels, and automatic data gathering processes on your website or digital products.
Some ideas to help you cover all bases: PII can be submitted directly by a user via a web contact form. You are probably tracking their browsing behavior via a website analytics tool. Maybe you are also getting information via third parties (e.g. the Facebook Connect tool which offers single sign on across multiple sites, or credit scoring services). Your Sales Team are likely to be manually uploading information about users in a CRM, and your HR team is almost definitely gathering personal information from job applicants via your careers page.
5. Review how and where you store this information
- Is all the information stored in the EU or do you transfer it elsewhere? If you transfer data outside the EU you should check there are adequate safeguards in place. More detailed information here
- Is it stored with sufficient security? Are you encrypting, pseudonymizing or anonymizing the information? This may reduce the legal and financial implications of a data breach
6. Check who you share the information with
Make a list of people and processors who has access to personal data and review their permissions and commitment to compliance. Some contenders to get you started:
- Internal staff and teams
- Partner organizations or clients
- Third party analytics, marketing and newsletter tools (such as Mailchimp, Mandrill, Hubspot). Note: if you are using Google Analytics, Google has a plugin to anonymize IPs, which could class as personal information in some (as yet not completely clear) circumstances
- Cloud-based CRM or ERP
Make a GDPR compliance plan
7. Figure out what internal buy-in you need to be ready for May 25th 2018
- Do you need to assign extra resources to the project to make sure you are compliant before the deadline?
- After the 25th, do you need a Data Officer to make sure you stay compliant?
Implement and test data subject requests
8. Make sure you are ready to gather and record consent
- Is the user sufficiently informed about you storing information at each collection point and how you will use it?
- Are you following the new guidelines on consent and not using pre-ticked opt-in checkboxes?
- Can you record when that consent was given and exactly what the user consented to? If the user or regulator asks for this, you’ll need to be able to provide it.
- Would it be worth creating an “opt-out” page when the user can choose to receive an opt-out cookie?
9. Check how your privacy notices and contractual agreements are shaping up post regulation
Internal policies: you should also update your privacy statements and internal policies according to the new law.
Cookie banner: Have you reviewed your cookie banner? A soft consent “By using this site, you accept cookies” statement will not be enough after May 25th. Your banner should also make it clear to visitors exactly what you are tracking and why. It is likely that more and more companies will be implementing comprehensive cookie banners as part of their efforts to comply. If your website or app is missing this your visitors could start to wonder why!
- Have you reviewed contracts with third party processors to make sure they comply?
- Have you reviewed contractual agreements with customers and employees to make sure they comply?
10. Test if you are able to comply with a request from a data subject
Test an access request from a data subject and see if you can single out the data that belongs to them, modify and successfully delete or provide it to them
11. Define your data breach procedure
What will happen in case some data is lost? Are you ready ready to inform all the affected data subjects within 3 days?
12. Make a plan for how long to retain and how often to audit data
- Do you review and audit the data you hold on a regular basis?
- How long do you keep the data and when should you clear it from your servers?
- Do you have a policy on data retention for customers, employees, leads and partners?
13. Ask your team if they are ready to comply
- Are all our necessary teams informed out this new regulation and its impact on their work?
- Are the new processes and procedures adequately documented internally?
- Is everyone in the organization aware of the risks and potential process changes?
Disclaimer: This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so you insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
Need more guidance? Talk to us about your GDPR compliance needs