12-Step GDPR Compliance Checklist

If your company operates within the European Union (EU) you may have to comply with a range of privacy requirements known as the General Data Protection Regulation (GDPR).

If you do have to comply with these requirements, you may need to prove that you’ve been given consent to hold personal data and be able to show the ways the data was used, as well as be able to demonstrate the actions you have taken to protect the data.

Find out more about this requirement and how you can ensure successful compliance with the regulations in this article. We also have a 12-step GDPR compliance checklist you can follow so your organization can succeed.

Table of contents

What is the General Data Protection Regulation

History of the GDPR

Why you should comply with the GDPR

What are the key requirements of GDPR?

What is Considered Personal Data Under the EU GDPR?

Who Does the GDPR Apply To?

Does the GDPR apply to US companies?

12-Step Checklist to be GDPR-Compliant

Communicating with employees about the GDPR requirements

What is the General Data Protection Regulation

The General Data Protection Regulation (GDPR) was introduced by the European Union, which describes it as “the toughest privacy and security law in the world”. 

The GDPR was introduced to keep peoples’ data more safe and to give them more control over how their personal information is used. There are harsh fines that can be imposed on those who violate the privacy or security standards set by the GDPR with financial penalties of up to tens of millions of Euros.

And while the law was drafted and passed by the EU, it actually imposes obligations on organizations anywhere in the world if they target or collect data related to people who are located in the EU. Many organizations around the world have already adapted their business practices to comply with the GDPR. If yours hasn’t done so already, it is strongly encouraged that you make plans to do so.

History of the GDPR

The GDPR came into effect on 25 May 2018 after passing the European Parliament in 2016.

The need for the GDPR stemmed from the 1950 European Convention on Human Rights which provides for everyone to have the right to respect for their private and family life, their home and their correspondence. The EU has introduced legislation to ensure the protection of this right.

As technology advanced and the internet became a major part of peoples’ lives, the EU sought to introduce more modern protections. In 1995 it introduced the European Data Privacy Directive which established some minimum security and data privacy standards that member states of the EU each based their own laws on.

Ultimately as time went by and technology advanced at a rapid pace, the more data that was available on the internet and privacy breaches that were cropping up showed that the Data Privacy Directive had become outdated, and its application across the EU had not been consistent. The European Parliament sought to implement a single new data protection law that would be stronger and offer citizens more protections, and be easier to enforce across the EU.

Why you should comply with the GDPR

The upshot of complying with the GDPR is that your organization can avoid significant fines and legal fees. But when you delve a little deeper into GDPR compliance, you’ll find there are other key reasons you should prioritize it:

• Maintains trust by customers and other stakeholders when you protect their data
• Ensures the reputation of your company is not damaged or tarnished
• Gives your company an advantage over your competitors who may not be as vigilant about privacy
• Helps to embed improved data management practices within an organization including better data security and increased efficiencies
• Helps to raise employee awareness about the important of privacy and data protection and helps to reduce the risk of human error
• Provides better oversight of data management practices so that your company is better able to respond to future changes and requirements.

Since the GDPR was introduced, there have been fines issued against companies that have varied in magnitude, which has reflected the severity of the noncompliance.

According to Forbes, these fines have ranged from “modest amounts to staggering multi-million-euro penalties.”

What are the key requirements of GDPR?

The GDPR is complex legislation that might be difficult to understand. In fact, it runs for more than 85 pages. Even if you don’t have time to read the legislation in its entirety, there are some key requirements you should be aware of. Please note, however, that this is not a substitute for getting your own legal advice.

The ten key requirements of the GDPR are as follows:

1. Lawful, fair and transparent processing

Companies who process personal data must ensure it is done so in a way that is lawful, fair and transparent. This means they should have legitimate purposes for processing the data, they should ensure they take responsibility and not process the data for any purpose other than the legitimate one, and they should inform data subjects about the processing activities on their personal data.

2. The limitation of purpose, data and storage

The GDPR expects companies will limit the processing and only collect data that is necessary and not keep personal data when the purpose of the processing is complete.

Essentially this forbids the processing of data outside the legitimate purpose for which it was collected, mandates that no personal data other than what is necessary is requested and asks that personal data is deleted once the legitimate purpose for which it was collected has been fulfilled.

3. Rights of the data subjects

The GDPR gives data rights to those who are subjects of the data. These are:

• The right to be informed - you must tell individuals about the data that’s being collected, how you’ll use it, how long you’ll keep it and whether it will be shared with third parties.
• The right of access - individuals can request organizations to provide a copy of any personal data that’s held about them and the organization has one month to produce the information.
• The right to rectification - when an individual discovers an organization is holding inaccurate or incomplete information about them, they can request that it is updated.
• The right to erasure - people are able to request that organizations erase their data in certain circumstances, such as when it is no longer necessary, it it was unlawfully processed or it no longer meets the lawful ground for being collected.
• The right to restrict processing - this applies when individuals no longer use the service or product that the data was collected for, but there are reasons the organization needs it such as to establish, exercise or defend a legal claim.
• The right to data portability - people are permitted to obtain and reuse their own data for their own purposes over different services.
• The right to object - data subjects are able to object to companies processing their personal data. This must be honored unless you’re able to prove your organization has a legal basis for processing it.

4. Ensure technical and organizational safeguards are in place

Appropriate technical and organizational measures must be put in place to ensure that customer data is handled securely. While the legislation doesn’t specify the exact measures that companies have to implement, it does require the organization to assess risks in processing EU data, put security pleasures in place that mitigate risks and ensuring the availability of appropriate processing systems and processes.

5. Ensuring consent

Consent to collect and retain data needs to be explicitly given and in requesting it, organizations should ensure that it is kept separate from any other terms and conditions.

Consent should be:

• Freely given and not coerced
• For a specific purpose and not vague or overly broad
• Informed - people should understand what they are consenting to
• Unambiguous and expressed in a clear and affirmative way, for example ticking yes to an opt-in check box.

It’s also a requirement that individuals can withdraw their consent easily.

6. Sending breach notifications

If there is a data breach, the GDPR requires that the affected data subjects are noted within 72 hours. If this isn't possible, there needs to be an acceptable justification for the delay.

A breach notification must describe the scale and nature of the breach, including how many people and data records were affected; explain what the likely consequences of the breach are for the affected person; share the steps that have been taken to address the breach; and list a name and contact details of a data protection officer where the affected individual can get more information.

6 SAMPLES OF CYBER SECURITY AWARENESS EMAIL TO EMPLOYEES

7. Keeping a Personal Data Breach Register

Organizations must establish and maintain a register of personal data breaches. Based on the severity they also have to inform the regulator, as well as the data subject, within 72 hours of identifying the breach.

8. Designing with privacy in mind

The GDPR requires organizations to consider data privacy and protection when they’re designing any new products or services. It requires them to think about what personal data they may need to collect from customers and every stage of development, and to identify how they will keep that data safe.

9. Data Protection Impact Assessments

When people consent to their data being collected or processed, they take on a level of risk that their data could be stolen, leaked or used for a variety of fraudulent and illegal purposes. Producing a Data Protection Impact Assessment will explain how your organization identifies and minimizes these risks.

10. Restrictions on personal data transfers

There are strict conditions imposed on the transferring of personal data outside of either the EU or the European Economic Area. In cases where this happens, the GDPR requires that the organizations involved adopt appropriate data protection safeguards.

What is Considered Personal Data Under the EU GDPR?

According to the GDPR, personal data is all of the information that relates to a person who is either identified or identifiable. It says that any information that may be signed to a specific person - or makes a person identifiable - is personal data.

Generally, things like name, address, date of birth, occupation, drivers license details, government identification numbers, employment details telephone numbers and email addresses can be considered personal data. However it isn’t always straightforward.

Writing on the IT Governance European Blog recently, author Luke Irwin opines that the GDPR doesn’t actually provide a definitive list about what is and what isn’t personal data. He writes that “in certain circumstances, someone’s IP address, hair color, job or political opinions could be considered personal data” while in other circumstances, their name might not be because many names are not unique. However when the name is combined with other information like a place of work or telephone number, it then becomes personal data.

Who Does the GDPR Apply To?

GDPR is binding on the 27 member companies of the European Union and European Economic Area.

However, the GDPR applies to any company or entity that collects and uses EU citizens’ data, no matter where the company is based. This can include businesses both within and outside the EU who offer goods or services to, or monitor the behavior of EU citizens.

Does the GDPR apply to US companies?

As outlined above, if your company is collecting EU citizens’ data, GDPR will apply to you even if you are located in the United States of America.

It applies if you provide goods or services that are accessible to people in the EU or European Economic Area, even if there has been no monetary transaction. It also applies if you monitor the behavior of people located in the EU or European Economic Area, which refers to collecting, using or analyzing information about these users.

Data Protection Authorities from EU member states enforce the GPRD and can impose fines on US businesses who breach the legislation. There are huge fines of up to $12 million US dollar at stake. If your company has EU/EEA based assets like real estate or bank accounts, it could be seized for failing to comply with the GDPR.

There have been many fines for GDPR noncompliance levied against US companies since the legislation came into force in 2018. Some of these have been incurred by big name companies like Meta, Google and Clearview AI.

Some businesses actively block their websites from users in the EU so that they can avoid fines, however this isn’t always good economic sense as it means you can risk losing customers and major parts of your revenue stream.

12-Step Checklist to be GDPR-Compliant

We’ve produced the following checklist that you can use to help you to embed GDPR compliance practices within your organization. This is a basic checklist, and you may have more complicated requirements that are not captured here. However, this is a good place

1. Is my organization subject to the GDPR?

It’s important to determine if you need to comply with the GDPR in the first place.

The GDPR will apply if you answer yes to  any of the following questions:

• Do you have operations in the EU
• Do you offer goods and services, regardless of whether people get them for free, to people who are located in the EU?
• Do you monitor the behavior of people who are in the EU?

2. Make an inventory of your Personal Data Processing Activities

Make an assessment of the types of data that your company already has and how it is used. It’s important to understand the following:

• The category of data that you collect
• Any specific data elements that are involved
• How you collect the data
• How you process the data
• What is the purpose of the processing
• Who can access the personal data within your organization
• Who do you share the data with outside of your organization
• How long do you keep the data for

This will help you to determine the areas of your existing practices that will need to be examined for compliance.

3. Determine if you have to appoint a Data Protection Officer (DPO)

The GDPR requires that some organizations have to appoint a DPO to oversee the data protection strategy and implementation within the organization.  Not all organizations are required to appoint one. 

A DPO should be someone who is an expert on data protection who can monitor for GDPR compliance within your company, assess any data protection risks, provide advice on data protection and cooperate with regulators if necessary,

If any of the following applies, you will need t to appoint a DPO:

• Your processing is carried out by a public authority or body (not including courts)
• The core activities of your organization include processing that 
• The core activities of your organization include processing that requires the regular and systemic monitoring of data subjects
• Your core activities consist of processing a large scale of special data

When you have appointed a DPO, the GDPR requires that you “shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”

4. Ensure the security of data processing

The GDPR requires that businesses protect their customer’s data and keep it secure through means such as encryption. This helps to ensure that it cannot be accessed by hackers.

Undertake a risk assessment to determine if there are any technical or organizational measures that need to be implemented to ensure compliance with the GPRD. 

Where you determine there are further steps you could take to make data more secure, you should make immediate plan to do so.

5. Determine if you need consent for your processing activities

The GDPR requires you to always have consent when you collect any data at all on your customers. This applies to any data that you collect via forms and even aspects of customer data such as using cookies and customer tracking on your website.

• Is processing being done on someone aged under 16? If so you will need to get consent from a parent or guardian.
• If you are processing data that’s pursuant to Article 9 of the GPRD which states “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”. There are times when this type of data can be collected with consent, which is outlined here
• If you are processing data based on Article 10 of the GPRD which involves “processing of personal data relating to criminal convictions and offences or related security measures” you need to be aware of the requirements for this category of data.
•  If processing based on consent, ensure you have followed the requirements listed under Article 7 of the GPRD
•  If you obtained consent before the GPRD came into effect, determine if this consent is still valid under the GPRD requirements 

6. Review and update the procedures you have in place for people to submit data requests

Under the GPDR, people have the right to access personal data, make corrections to any inaccuracies, request deletion or portability of the data you hold on them.

In order to comply with this requirement, you should check your current procedures and policies (or if you don’t have any, you will need to establish these) to ensure they::

• Are easy to understand and use
• Can handle requests that are compliant with the requirements of the GPRD
• Can verify the identify of the person making the request to prevent unauthorized access to personal data

7. Update your existing consent

You must clearly inform people about why you’re collecting their data and how you intend to use it. This applies to a wide range of forms on websites, offline marketing and sales.  They must also be able to easily withdraw consent at any time. 

In determining whether you need to update your consent, ask these questions:

• Do your existing consent mechanisms meet the requirements?
• Do your existing consent mechanisms enable people to easily withdraw their consent?
• Have you implemented the GDRP “double opt-in” requirement where people are sent an email confirmation after they sign up which they can click to confirm their subscription?

8. Establish procedures for responding to the rights of Data Subjects

 You need to ensure you have appropriate procedures in place to respond to any requests regarding the rights afforded to Data Subjects (individuals who you collect data about).

You need to:

• Develop procedures responding to the right to be informed
• Develop procedures responding to the right of access
• Develop procedures responding to the right to rectification
• Develop procedures responding to the right to erasure
• Develop procedures responding to the right to restrict processing
• Develop procedures responding to the right to object
• Develop procedures responding to the right to data portability

When developing these procedures you need to ensure that you are making it as easy as possible for the data subjects to have their requests actioned. Being as transparent as possible in your dealings with people is the key.

9. Establish policies, procedures and protocols for detecting, reporting and investigating data breaches

If your company experiences a data breach and any personal data is exposed, the GPRD requires that you notify your jurisdiction’s supervisory authority within 72 hours.In order to comply with this,  you will need to ensure there are a range of detecting, reporting and investigating protocols in place within  your organization,

Questions to ask when determining if you need to implement or upgrade protocols iinclude:

• Do you have an effective breach detection system in place?
• Do you have clear reporting procedures to inform the regulator, the affected user and internal management if there is a breach.
• Do you regularly test and update these procedures?

10. 1 Establish a GDPR compliant privacy policy

Your company should have a privacy policy that informs individuals about why and how you intend to use any data that you collect. It’s important to have this on your website so that people can easily find it - whether the information is through a web form or being gathered some other way.

To be GDPR compliant it should explicitly state what data will be used for - for example, email addresses may be used for marketing purposes.

To establish or update a privacy policy you need to:

• Create a policy documenting your privacy practices
• Integrate your GDPR privacy policy into your existing internal audit framework
• Publish your privacy policy on your website.

11. Implement Privacy by Design Elements

Put in place a process to ensure privacy is embedded in any projects you are undertaking that involves personal data.

This process essentially ensures that privacy is the default setting for any new initiatives that you undertake. Privacy should be considered at every stage from conception through to implementation.

This approach shifts the focus within the organization to preventing privacy-related issues from occurring rather than simply complying with any privacy laws,

12. Ensure employees are trained in the requirements for personal data protection

It is critical everyone in the company understands your compliance obligations with GDPR

• Communicate the requirements for personal data protection to employees
• Ensure the persona data protection obligations and your privacy policy are displayed prominently on your Intranet site
• Provide mandatory training on this topic to employees
• Provide mandatory annual refresher training on this topic to employees
• Ensure this topic is covered in your employee onboarding processes.

Communicating with employees about the GDPR requirements

It’s important to ensure that your employees understand the company’s obligations to comply with GDPR legislation requirements.

Did you know that employee error is the most likely cause of a data breach?

According to a Stanford University report, 88% of data breaches happen because of an employee’s mistake.

Given that the GDPR is about protecting privacy and data, employees who don’t understand the risks and consequences are a risk.

At the end of the day, if they act in a way that puts peoples’ privacy and data at risk, the liability lies with the company, and the consequences are large.

These are the steps you should take with communication to ensure that your employees understand their obligations:

1. Communicate policies, procedures and requirements of GDPR requirements

Have policies, procedures and other information about the GDPR in a place that can be accessed easily by all employees within your company - such as on the Intranet or Sharepoint.

You can use DeskAlerts to send every employee a link to these documents with a checkbox they have to tick to acknowledge that they have read the information. This helps to keep people accountable and they can’t say that they never saw the information.

Make sure that people know and understand the steps they must take if there is a data breach, and ensure that this information is also easy to find.

COMPLIANCE COMMUNICATION SOFTWARE

2. Introduce training and education resources

While there will be generic training available for companies to understand what GDPR is and why they need to comply with it, it’s important to provide tailored education and advice to your employees that is specific and relevant to your organization and the work that it does.

This ensures that they can get a good understanding of how this legislation affects the company.

Training and education resources that are delivered should include mandatory training courses (online or in person) and fact sheets and information. You should also deliver refresher training as part of any annual compliance training that you conduct in your workplace. New hires should also be targeted and receive GDPR training on commencement with your organization.

Offer ongoing training and education around data security and privacy which is already necessary to protect your systems and information. There’s an added incentive now to do it because it is relevant to GDPR compliance.

EMPLOYEE TRAINING SOFTWARE

3. Clearly communicate what the consequences of noncompliance are

Employees need to understand what it means if the company fails to comply with GDPR requirements. Let them know what sorts of fines and penalties the company will face, as well as other consequences such as breach of trust, ruined corporate reputation and legal fees.

Additionally you should outline what the consequence for the employee will be. For example in some companies it might mean that anyone who willfully ignores the GDPR requirements is instantly dismissed.

4. Create a culture of compliance within your organization

To ensure that employees comply with the GDPR requirements, you should embed a culture of compliance within your organization where all employees understand and actively work towards ensuring data privacy.

Provide your staff with the necessary tools and resources to do this. It goes beyond education and training - they also need to be backed up by the appropriate systems and processes to ensure that personal data is handled appropriately.

Encourage a ‘speak up’ culture where employees are able to report concerns and issues about data privacy without fear of reprisals from colleagues or managers.

5. Lead by example

Leaders set the tone and the standards within an organization on every aspect of its operations, and GDPR compliance is no different. Leadership in your organization needs to be on board with the implementation of compliance activities and needs to lead by example when it comes to protecting personal data.

***

GDPR is complex legislation and failure to comply with it can have severe consequences for companies who do business in the EU. It’s crucial to not only understand the requirements, but to take appropriate steps to embed a culture of compliance with GDPR within your organization. Our team of internal communication experts can show you the ways that DeskAlerts can communicate with your employees and deliver training and education materials on the GDPR requirements that are relevant to your business. Get in touch with them today for a free demo.