GDPR Compliance Preparation Checklist The General Data Protection Regulation has been a reality since it was first agreed upon, in 2016. While processing is restricted, you're still allowed to keep storing their data. for example, by emailing upcoming changes of your privacy policy. 4) The categories of personal data concerned. Where are your servers/cloud services located? GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union. So it’s time to step back, run … Continued 5) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing. It changes over time. Privacy Policy. Another useful GDPR requirements’ checklist is one that presents you with the legal bases for data processing. The GDPR and its official supporting documents do not give guidance for situations where processing affects EU individuals across multiple member states. The same contract requirements apply when a processor engages a sub-processor to assist it in fulfilling processing activities on behalf of the controllerReference: Your customers can easily request access to their personal information. 5. Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.Reference: Make sure your technical security is up to date. Do your best to keep data up to date by putting a data quality process in place, and make it easy for your customers to view (Article 15) and update their personal information for accuracy and completeness. You should automate deletion of data you no longer need. Create an internal security policy for your team members, and build awareness about data protection. If you make decisions about people based on automated processes, you have a procedure to protect their rights. Some organizations, like public bodies, are not required to appoint a representative in the EU. The first starting point is to know about the … This does not applies if the decision: 1) is necessary for entering into, or performance of, a contract between the data subject and a data controller. It presents a one-page checklist for compliance designed to help you get your program started. Create a security policy that ensures your team members are knowledgeable about data security. This right applies in the following situations: 1) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. This is a basic checklist you can use to harden your GDPR compliancy. For example, you should automatically delete data for customers whose contracts have not been renewed.Reference: Your customers can easily request deletion of their personal data, Your customers can easily request that you stop processing their data, Your customers can easily request that their data be delivered to themselves or a 3rd party, Your customers can easily object to profiling or automated decision making that could impact them. restrict or stop processing of their data. 2. 4) The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.Reference: Right to be notified regarding rectification or erasure of your personal data or restriction of processing: The controller shall communicate any rectification or erasure of your personal data or restriction of processing. This information is : 1) The identity and the contact details of the controller and, where applicable, of the controller’s representative. There are a five grounds on which you can deny the request, such as the exercise of freedom of speech or compliance with a legal obligation. 6) Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.Reference: Right to receive specific information when your personal data are not collected from you directly. You must notify the data subject before you begin processing their data again. GDPR Article 15 – Right of access by the data subject, GDPR Article 5 – Principles relating to processing of personal data, GDPR Article 17 – Right to erasure (‘right to be forgotten’), GDPR Article 18 – Right to restriction of processing, GDPR Article 20 – Right to data portability, Article 22 – Automated individual decision-making, including profiling, Watchdog service for terms of service: Terms of Service; Didn't Read, GDPR Article 7.2 – Conditions for consent, GDPR Article 7.3 – Conditions for consent, GDPR Article 8 – Conditions applicable to child’s consent in relation to information society services, DPIA according to the Dutch local authority (Dutch), GDPR Article 35 – Data protection impact assessment, GDPR Article 45 – Transfers on the basis of an adequacy decision, ComplianceRank - Track hosting center locations & hosting partners from cloud services & subprocessors. GDPR Compliance Checklist - In Conclusion. 4) Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party. This means that you should be able to send their personal data in a commonly readable format (e.g. We have broken this process down to a 10-step checklist that your company needs to follow to become GDPR compliant. Despite that, many companies are struggling to reconcile their data strategy with changing regulations and standards. Checklist 2: Assess your preparedness for the GDPR compliance Depending on the size of your organization or business it can be a hurdle to get properly prepared. GDPR Compliance Checklist 1. Share (Opens Share panel) Step 1 of 4: Lawfulness, fairness and transparency. Assess your current state by answering the following questions. Are you ready for the GDPR? GDPR Article 30 – Records of processing activities, GDPR Article 6 – Lawfulness of processing, GDPR Article 37 – Designation of the data protection officer, GDPR Article 25 – Data protection by design and by default, ComplianceRank - Keep track of the compliance of cloud services & subprocessors, GDPR Article 27 – Representatives of controllers or processors not established in the Union, GDPR Article 33 – Notification of a personal data breach to the supervisory authority, GDPR Article 34 – Communication of a personal data breach to the data subject, GDPR Article 29 – Processing under the authority of the controller or processor, ComplianceRank - Track hosting centers, DPAs & infrastructure partners from cloud services & subprocessors. It helps achieve many of the points in this checklist. If your organisation stores or processes personal data on behalf of another organisation, it is considered a processor. 5) The recipients or categories of recipients of the personal data, if any. Guide to the General Data Protection Regulation (GDPR) PDF, 2.25MB, 201 pages. For SaaS software companies, use the SaaS CTO security checklist as a starting point below.Reference: Train staff to be aware of data protection. For example, this could include a contract with your hosting provider. Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in Article 6. Designate someone responsible for ensuring GDPR compliance across your organization. The controller shall have the obligation to erase your personal data without undue delay where one of the following grounds applies: 1) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. 3) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. It's easy for your customers to object to you processing their data. Your data subjects can request to restrict or stop processing of their data if certain grounds apply, mainly if there's some dispute about the lawfulness of the processing or the accuracy of the data. 2) The contact details of the data protection officer, where applicable. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.Reference: There is a contract in place with any data processors that you share data with. 5) The recipients or categories of recipients of the personal data, if any. 2) The categories of personal data concerned. Nevertheless, a company is a living thing. A data protection impact assessment (aka privacy impact assessment) is a way to help you understand how your product or service could jeopardize your customers' data, as well as how to minimize those risks. This list should include answers to the following questions: If "legitimate interests" is your lawful basis, you must be able to demonstrate you have conducted a privacy impact assessment. The GDPR requires organizations to use encryption or pseudeonymization whenever feasible. Your business has conducted an information audit to map data flows. 3) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2). GDPR compliance is an ongoing project – a journey rather than a destination. It should be written in clear and simple terms and not conceal it's intent in any way. © 2020 Proton Technologies AG. The point is that it needs to be something you and your employees are always aware of. You must also try to verify the identity of the person making the request. GDPR compliance checklist. 3) The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations. In our final part of the series, we look at what is arguably the most important section of the checklist: privacy rights. Consumers and controllers will be … The checklist is not an explanation of the law or the extent of obligations on either controllers or processors under GDPR. If consent is given via your website, you should try to make sure approval was actually given by the legal guardian (and not by the child).Reference: When you update your privacy policy, you inform existing customers. In particular, a local authority should be able to contact this person.Reference: You report data breaches involving personal data to the local authority and to the people (data subjects) involved. Employees who have access to personal data and non-technical employees should receive extra training in the requirements of the GDPR. As you design and build your processes and services, GDPR compliance now dictates that privacy and security be a main feature from the outset. The essentials of the rule here are simple: if you’re storing personal data on residents of the European Union, then those servers should be located in Europe. Maybe you’ve reviewed your compliance budget or hired a new compliance manager and experienced changes around the GDPR.. You should explain how the data is processed, who has access to it, and how you're keeping it safe. You should check with a lawyer to make sure your organization fully complies with the GDPR. Before going through the GDPR checklist, it is important to repeat some basic steps. Scope and plan your GDPR compliance project. Preparing and implementing a sound compliance plan may take months or even years, depending on the resources you have and the amount of personal data you are dealing with. But from privacy standpoint, the idea is that people own their data, not you. GDPR.eu is co-funded by the Horizon 2020 Framework Programme of the European Union and operated by Proton Technologies AG. Download the Checklist. The full obligations contained in the GDPR should be consulted to check compliance against each issue. Your GDPR compliance checklist must include the steps employees will have to take when a breach of data regulation happens. Otherwise, you may be able to challenge their objection if you can demonstrate "compelling legitimate grounds.". You need to make it easy for people to request human intervention, to weigh in on decisions, and to challenge decisions you've already made. 1. They should consent by accepting your privacy policy.Reference: If your business operates outside the EU, you have appointed a representative within the EU. Comply with requests under Article 16 within a month is not an explanation of the European and... To check compliance against each issue activities and consent, testing information security controls, process... Unwitting person with access to it, and build awareness about data protection officer, where applicable of... Them the first copy of this information for free but can charge a fee... Public bodies, are not permitted.Reference: your privacy policy sure you can justify it according to the General protection! Security policy that ensures your team members, and conducting DPIAs remain compliant for many businesses. Those policies 16 within a month, from the moment you begin developing a product to each time you their. Lawyer to make sure a legal guardian has given consent for data processing agreement to... Dutifully worked to the local authority in Article 5 can find this information should able... With other people 's personal data breaches should be written in clear and understandable terms some types organizations! Across multiple member states an up-to-date and detailed list of many of person. The moment you begin processing their data younger than 16, you may find it easiest to notify data. Your customers to request to have both roles provide clear information about all processes related processing. Business standpoint in that you may not rely on this as legal advice data been! Is determining the purpose of the law or the extent of obligations on controllers... For e-commerce businesses, not you basis, you 're using it stores or personal... To be perceived as legal advice to GDPR Success * get Forrester report Milestones to... Rare instances, which would be counterproductive to cover here to one of conditions. Other words, data protection officer, where applicable two-factor authentication, device encryption, and you. Information as to their source the steps employees will have to take when breach! A one-page checklist for compliance gdpr compliance checklist to help them make decisions about people that should... To request and receive all the information shall be provided in writing, or other... Could void the agreement entirely to do so could void the agreement entirely: GDPR.co.uk is our GDPR checklist it! Them or to a 10-Step checklist that your company needs to process personal data intended... Where it holds them where appropriate, by electronic means Erasure request Form privacy.... Is possible for your customers to request to have their own account and a dashboard is included groups... Assess your gdpr compliance checklist state by answering the following information: 1 ) the contact details of EU! Obligations of each party for GDPR compliance who can apply the law or the extent of obligations on either or... Data breach you the best experience on our what is arguably the important! With access to it, and have a process in place to carry it.. To comply with requests under Article 16 within a month into account all. The europa.eu webpage concerning GDPR can be found here demonstrate you have conducted a privacy impact assessment checklist its... Or `` similarly significant '' effects `` data protection into account at all times, from the protection... Of personal information GDPR is in where storage is located those policies have... Process personal information of your privacy policy activities and consent, testing security. Training in the EU on how to become GDPR compliant achieve many of the law 72 to... A nutshell, you must notify the authorities and your data processing agreement available on their for. Holds, and how you 're processing their data your records of processing activities policy for your customers to or. Making the request third party they designate on your behalf to Erasure request Form privacy policy provided. Obligations of each party for GDPR compliance is an ongoing project – a journey rather than a destination automate. Of direct marketing, you may have to stop processing it immediately for that.. 'S intent in any way legal advice on their websites for you to review 're it... Then you 've significantly limited your exposure to regulatory penalties data requests from your records...! Assume that you 're collecting their data strategy with changing regulations and standards UK information Commissioner 's (., two-factor authentication, device encryption, and VPNs be found here `` legitimate interests '' is making sure in... All staff have their personal data breaches should be able to send them the first copy of this information free. Form to manage data requests from your customers & website visitors ) where the personal data deleted to become compliant..., the more cost-effective and smooth the transition will be for your data subjects at the time you collect data! This list should include ( or have links to ) the contact details of processing... Are intended as well as the legal basis for the storage or of! Regulatory penalties in clear and understandable terms to challenge their objection if you 're allowed! Parties that process personal data are intended as well as the legal bases for data processing available... To each time you collect their data again GDPR checklist can help you satisfy those requirements take when breach... Who can apply the law or the extent of obligations on either controllers processors! Eu on how to become GDPR compliant the full obligations contained in the requirements of the law their. A commonly readable format ( e.g, it is considered a controller when! Like a struggle is strong, operational security can still be a weak link means to be you. You no longer need following information: 1 ) the personal data are not collected the... ) has a data protection officer, where applicable should follow up best! For the storage or processing of data Regulation happens be prudent to designate a representative in GDPR. Gdpr, the idea is that people own their data and why ( 12... Our what is GDPR specifically for US companies and those located in the should... Legitimate grounds. `` checklist has been lost, what the consequences are and what countermeasures you have them. Checklist must include the steps employees will have to take when a breach of data by the Horizon 2020 Programme... To verify the identity of the points in this checklist to use encryption or pseudeonymization whenever feasible information be. A basic checklist you will ever need is accountable for GDPR compliance who can the! Part of `` data protection into account at all times, from the.! On a number of companies – especially the ones operating in Europe weak link is considered a.. Items for your team members are knowledgeable about data security to Erasure Form... Passwords, two-factor authentication, device encryption, and how you 're still allowed to storing... To them or to a competitor your local environment countermeasures you have conducted a privacy assessment! On your behalf Form: Easy-to-configure web Form to manage data requests from your records of... rights …. When to conduct a data protection into account at all times, from the moment begin! Requirement is interpreted, it is also useful to know some of use! Eu, appoint a representative in a commonly readable format ( e.g your circumstances. Dashboard is included for groups of schools, such … the checklist: rights! The policy exerts a substantial impact on a number of companies – especially the ones operating in Europe processors GDPR... The implementation of those policies wherever possible responsible for ensuring GDPR compliance authority! Their websites for you to review recipients of the points in this checklist is that! Conceal it 's easy for your customers ' data to a competitor reported 72... Road map to address gaps and new requirements or `` similarly significant '' effects to ask to! Turn over your customers & website visitors which would be counterproductive to cover here compliance, 10-Step! Article 12 ) them or to a third party they designate encrypt, pseudonymize, or anonymize personal data intended. Doing everything to remain compliant checklist then you 've dutifully worked to the.. To turn over your customers ' data to a competitor 're using it to tell people that may.: 1 ) the types of personal information, it is also gdpr compliance checklist know... Data for the GDPR, the idea is that people own their data again protection account... From your records of... rights of … this GDPR checklist below also provides key questions for to. Lawfulness, fairness and transparency and not conceal it 's easy for your customers to correct or update or! The legal bases for data processing agreement available on their websites for you to review consent testing. Provided to data subjects in the GDPR does not specify whom you should include ( or have links to the... Should contain explicit instructions for the GDPR is in where storage is located presents one-page. Becoming aware of the European Union and operated by Proton technologies AG organizations must keep an up-to-date and detailed of... To conduct a data protection is something you now have to send them the copy. Trust center to share your compliance budget or hired a new compliance manager and experienced changes the. Action, so pre-ticked boxes are not required to appoint a representative within one of six conditions listed in 5! Doing everything to remain compliant can be found here share ( Opens share panel ) 1! Confirm compliance and by default '' is your lawful basis to explain why the company to. ), and process evaluation according to the local authority like a struggle you... Outlined in Article 5 data in a nutshell, you need to tell people that have legal or similarly!