Aug 20, 2020

How to Check If You Align with the Data Privacy Law: A GDPR Compliance Checklist

Times of the fuss around the GDPR introduction is over - now it’s the law that all organizations dealing with personal data of EU residents have to comply with; otherwise, a violation will lead to inevitable financial consequences. How to ensure that your organization is GDPR compliant?

Challenge of GDPR Today

The General Data Protection Regulation (GDPR) has standardized data protection across all 28 EU countries and imposed stringent new rules on processing and controlling personal user data. All websites collecting data from EU residents are obliged to align with GDPR compliance requirements. If they don’t, they may be fined up to 4% global turnover (or EUR 20 million). So, if people from the European Union frequently visit your website, it pays to be prepared. 

What Is GDPR Compliance   

Being GDPR compliant means executing all the regulations and subscriptions issued by the General Data Protection Regulation that apply to your organization. 

You are eligible to GDPR if:

  • Your company processes any data from any data subject who is EU citizen; 
  • You expect customers (or visitors to your website) from Europe;
  • There is even a small possibility that you may collect data from an EU citizen;
  • Any of your third-party vendors collect information on behalf of you in Europe.

How to Check If You’re GDPR Compliant: Three Basic Steps

Here’s a short GDPR compliance checklist for US companies and those located in the EU on how to become GDPR compliant.

The Law-related Part

Info audit: What data do you process

Organizations must keep an up-to-date and detailed list of their processing activities. This list should include answers to the following questions: 

  • For which purposes do you process data, 
  • What kind of data you process, 
  • Who has access to processed data in your organization, 
  • What third parties have access to this data and where they are located, 
  • What are you doing to protect the data (e.g., encryption),
  • When do you plan to erase collected data (if possible). 

The regulators may request to submit this list to them at any time.

What’s your legal justification for your data processing activities

According to GDPR, processing data is illegal unless you justify it by one of six conditions (Article 6, Articles 7-11).

  • Consent 
  • The necessity for the performance of a contract 
  • Compliance with a legal obligation 
  • Protection of vital interests of people
  • Task performance of public interest or official authority
  • Legitimate interests. 

After you choose a lawful basis for processing, you should document your rationale.

How transparent is your privacy policy 

Setting up a clear privacy and cookie policy is one of the primary GDPR compliance requirements. Here’s what your privacy policy should include: informing people that their data is being collected;  the purpose of gathering data; information processing activities; information about people who have access to collected data; measures to be taken to keep the collected data safe. 

Provide your privacy policy to people before or at the time you collect their data. Make it easily accessible on your website and use simple language. 

The Information Security Part

Data protection by design and by default

To be GDPR compliant, you must incorporate strict data protection concepts into the core of your organization, following the principles of “data protection by design and by default, ” outlined in Articles 5 and 25. Take all technical and organizational measures to ensure the safety of the data you collect and process. 

Pseudonymization and encryption 

To keep the data safe, the GDPR requires companies to use encryption or pseudonymization whenever possible (Article 32). 

Internal security policy

Set up strong operational security. Your internal security policy must ensure that your employees and team members have sufficient knowledge about data security. Besides, it should include guidance about passwords, VPNs, two-factor authentication, email security, and device encryption. Make sure that personnel with access to personal data receives extra training.

Data protection impact analysis (DPIA)

DPIA helps you understand how your service or service could threaten your customers’ data and how to mitigate those risks. You are obliged to conduct DPIA whenever you plan to use collected data to pose a high risk to the rights and freedoms of data owners.  

72 hours notification deadline about data breaches

In case of a data breach and personal data exposure, you have 72 hours to notify the regulator in your jurisdiction about the incident. Besides, you are obliged to inform the affected people about the risks the breach imposes on them. 

Accountability

Assign a DPO or a responsible contact person

The Data Protection Officer is a person who monitors GDPR compliance, advises on data protection impact assessments, performs data protection risk analysis, and cooperates with data protection authorities. If your organization operates outside of the EU, you must appoint a representative in that country to contact on your behalf with the regulators.

Sign a data processing contract with your vendors

If any third-party vendors manage any information about your data subjects (e.g., email services, analytics software, or cloud servers), they must comply with the GDPR. Typically, their websites must contain a data processing agreement.

GDPR Cheat Sheet

These simple things will help you to implement the data privacy law in your organization successfully

 GDPR Cheat Sheet

Remember of Your Customers’ Privacy Rights

There are several privacy rights that GDPR designates and strictly controls. You have one month to handle the right-related request in most of them, and in each case, you must try to verify the identity of the person making the request.

The right to be informed. People have the right to see what personal data you have about them and how you’re using it.

The right of access. People have a right to know how long you plan to store their information and why you will keep it. A copy of this document must be sent to your data subjects.  

The right to rectification. Keep data up to date by setting a data quality process, so your customers can easily view and update their personal information.  

The right to erasure. People have the right to ask you to delete all the personal data you have about them. There are five grounds on which you can deny the request, such as exercising freedom of speech or compliance with a legal obligation. 

The right to restrict processing. People can request to restrict or stop processing their data if there’s some dispute about the lawfulness or the accuracy. Notify data subjects before you start processing their data again.

The right to data portability. You should be able to send people’s data that would be easy to read, e.g., a document or a spreadsheet either to them or to a third party they define.  

The right to object. If you’re processing data for direct marketing, people can request to stop processing it immediately.  

Rights concerning automated decision making and profiling. If your organization deploys automated processes for decision making, you’ll need to set up a procedure to ensure you are protecting persons’ rights, freedoms, and legitimate interests. It should be easy for data subjects to make decisions and request human intervention.

What You Need to Know About the Consent in GDPR

Consent is mandatory and must be verifiable. The GDPR states that a consent a user makes must be a positive opt-in, specific, freely given, and unambiguous. Consent should stand separately from other terms and conditions, and you must inform people how they can withdraw their consent. 

GDPR and COVID-19: What Has Changed?

The European Data Protection Board has adopted new guidelines on personal data usage to track the Covid-19 outbreak. One of them is guidelines on geolocation and other tracing tools. They allow controllers to use location data and contact tracing tools in two specific cases:

  • For modeling the spread of the virus for evaluation of the overall effectiveness of quarantine measures;
  • For notification of people who are likely to have contacted virus carriers.

Get the Right Software for GDPR

Manual data management in compliance has long gone into the past – most companies choose to implement data privacy laws and other regulations and standards through automated compliance solutions. These tools allow operators to gain a holistic approach to compliance and eventually save much time. Infopulse SCM is the solution that supports the establishment and operation of a robust data protection management system (DPMS) in your organization. It enables you to meet the requirements of GDPR and other relevant regulations. 

With the help of the software, you will handle risk management, tracking measures, reporting, and evaluations. Besides, the process of collection of possible incidents will be gathered and processed.  

Final Word

The maintenance of GDPR is a challenge for many organizations. For your GDPR compliance to be on the top, it together with an automated compliance software to control assets, generate quick reports, provide instant access to all the data, etc. 

If you are eligible for any other laws or regulations, the GRC solution will enable you to manage multiple standards under one umbrella. You will gain significant benefits and maintain a holistic approach regarding your compliance strategies.

Request a trial

Try it!

Request your personal 15-days trial to find out how Infopulse SCM can optimize and streamline your compliance management. Please fill out this form, choose the standards and features you are most interested in. Our consultants will be glad to deliver a personalized webinar for you explaining step by step all the benefits of the SCM adoption.