Empower your GDPR readiness? look no further, this checklist walks you through some of the essential implementations needed for GDPR compliance
The General Data Protection Regulation (GDPR) is a European Union law that was implemented in 2018 and requires organizations to safeguard/protect/encrypt/not save in some cases personal data and uphold the privacy rights of anyone in EU territory.
We want to remind you that this checklist is not in any way legal advice. There are various provisions in the GDPR that apply only in rare instances, which aren’t covered here. You should consult with a lawyer to make sure your organization fully complies with GDPR. This document isn’t legal advice or a defined GDPR approval.
The regulation includes various principles of data protection that must be implemented and privacy rights that must be addressed. It also empowers government-level data protection authorities to enforce GDPR with sanctions and fines. GDPR replaced the 1995 Data Protection Directive, which created country-by-country directives and data protection laws. The GDPR, passed in the European Parliament, unifies the requirements and creates an organized framework.
The UK GDPR (as an example) sets out seven key security, data protection and privacy principles:
Lawfulness, fairness and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
These principles should guide your organization when processing client and employee personal data.
The following is a non-exhaustive list of questions that will assist you with advancing GDPR within your organization.
Has your organization conducted a data audit to determine what client data or personal identifiable information (PII) you process/hold/save, within which systems, which vendors and who has access to it?
Under GDPR, organizations are required to conduct a data audit to determine what client data or personal identifiable information (PII) they process, hold, or save, and to identify which systems and vendors this information is stored in. The audit should also identify who has access to this data and for what purpose. The purpose of the data audit is to ensure that organizations have a clear understanding of the personal data they hold and are able to protect it in compliance with GDPR requirements. This includes ensuring that the personal data is processed lawfully, fairly, and transparently, and that individuals have the right to access, correct, and delete their personal data as required by GDPR.
Do you have a well-defined client Privacy Policy on your website or client-facing application/system?
Under GDPR, organizations are required to have a well-defined client Privacy Policy that is easily accessible and transparent to clients. This policy should clearly outline what personal data is being collected from clients, how it is being used, and who it is being shared with, if anyone. The policy should also explain the client's rights under GDPR, including the right to access, correct, and delete their personal data.
The Privacy Policy should be prominently displayed on the organization's website or client-facing application/system and be written in clear and concise language that is easy for clients to understand. The policy should also be regularly reviewed and updated as necessary to ensure that it accurately reflects the organization's data processing practices and compliance with GDPR requirements.
Under GDPR, organizations are required to implement appropriate technical and organizational measures to ensure the security of personal data, including the use of encryption where appropriate. This includes encrypting all client/PII data both at rest and in transit.
Encryption is a method of encoding data in such a way that only authorized parties with the correct decryption key can access the information. By encrypting client/PII data, organizations can ensure that even if the data is intercepted or stolen, it cannot be accessed without the decryption key.
Encryption should be implemented for all types of client/PII data, including data that is stored on servers or in databases (at rest), as well as data that is transmitted over networks or the internet (in transit).
Under GDPR, organizations are required to ensure that personal data is processed in a manner that ensures appropriate security, including the prevention of unauthorized access to personal data. One way to achieve this is by auditing all access to client/PII data.
Auditing access to client/PII data involves monitoring and recording all instances of data access, including who accessed the data, when, and for what purpose. This allows organizations to identify any unauthorized access or potential security breaches and take appropriate action to prevent them from occurring in the future.
Auditing can be done using a variety of methods, such as access logs, audit trails, or specialized software tools that monitor access to sensitive data. Organizations should also implement appropriate access controls, such as role-based access, to ensure that only authorized personnel have access to client/PII data.
Under GDPR, organizations are required to ensure that personal data is processed in a manner that ensures appropriate security, including the prevention of unauthorized access to personal data. One way to achieve this is by auditing all access to client/PII data and centralizing audit logs and alerts in one place/system.
Centralizing audit logs and alerts involves collecting all audit logs and alerts from various systems and applications used by the organization and storing them in a centralized location or system. This allows for easier monitoring, analysis, and reporting of all access to client/PII data, as well as faster identification and response to security incidents.
Organizations can use various methods to centralize audit logs and alerts, such as using a Security Information and Event Management (SIEM) system, a log management tool, or a specialized software solution that collects and aggregates audit logs from different systems and applications.
Does your organization enforce the use of strong authentication (multi-factor authentication) when accessing client/PII data?
Under GDPR, organizations are required to implement appropriate technical and organizational measures to ensure the security of personal data, including the use of strong authentication when accessing client/PII data.
Strong authentication, also known as multi-factor authentication (MFA), is a security mechanism that requires users to provide two or more forms of authentication before being granted access to client/PII data. This can include something the user knows, such as a password, something the user has, such as a token or smart card, or something the user is, such as a biometric factor like a fingerprint or facial recognition.
Enforcing the use of strong authentication when accessing client/PII data helps to prevent unauthorized access, particularly in cases where a user's password or other authentication credentials have been compromised. MFA can also help to reduce the risk of phishing attacks and other forms of social engineering by requiring additional authentication factors beyond just a password. Organizations can implement MFA using various methods, such as using a security token, a smart card, a mobile app, or biometric authentication.
Does your organization delete client data that isn’t needed? If not requested by regulations/laws and/or not didn’t for your ongoing operations.
Under GDPR, organizations are required to ensure that personal data is processed in a manner that is necessary and relevant for the purposes for which it was collected. This includes the obligation to delete client data that is no longer needed for its intended purpose.
Deleting client data that is no longer needed is an important aspect of GDPR compliance, as it helps to minimize the risk of data breaches, protect client privacy, and ensure that personal data is not retained longer than necessary.
Organizations should establish clear policies and procedures for data retention and disposal, including identifying when data is no longer needed and setting appropriate retention periods. They should also ensure that client data is securely deleted using appropriate methods to prevent unauthorized access or retrieval.
Does your organization have a written data protection and privacy policy document? Internal policy document.
Under GDPR, organizations are required to have a written data protection and privacy policy document that outlines their approach to protecting personal data and ensuring compliance with GDPR requirements. This policy document serves as an internal policy that sets out the principles and rules that the organization follows when processing personal data.
The data protection and privacy policy document should cover various aspects of GDPR compliance, such as data protection principles, data subject rights, data retention and disposal, data security measures, data breaches, and third-party data sharing. The policy document should also define roles and responsibilities for ensuring GDPR compliance and provide guidance on how to handle personal data in a manner that is consistent with GDPR requirements.
Organizations should ensure that the data protection and privacy policy document is regularly reviewed and updated to reflect changes in GDPR requirements or changes in the organization's data processing activities. They should also ensure that all employees and third-party vendors who handle personal data are trained on the policy and understand its contents.
Does your organization conduct ongoing data protection impact assessments (privacy impact assessments) within its various functions and environments?
Under GDPR, organizations are required to conduct Data Protection Impact Assessments (DPIAs), also known as Privacy Impact Assessments (PIAs), in certain situations where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
DPIAs involve a structured process for identifying and assessing the potential risks to the rights and freedoms of individuals, and for implementing measures to mitigate those risks. The process typically involves:
Identifying the processing activities that involve personal data.
Assessing the necessity and proportionality of the processing activities.
Identifying the potential risks to the rights and freedoms of individuals.
Evaluating the measures that can be taken to mitigate those risks.
Documenting the DPIA process and results.
Does your organization conduct ongoing audits and penetration tests to verify if unknown/unmapped sensitive data exists, and is saved in systems?
Under GDPR, organizations are required to implement appropriate technical and organizational measures to ensure the security of the personal data they process. One of these measures is conducting ongoing audits and penetration tests to identify any unknown or unmapped sensitive data that may exist within their systems.
Audits and penetration tests are an essential part of ensuring the security of personal data. Audits involve a systematic review of an organization's systems and processes to identify any vulnerabilities or weaknesses that could be exploited by attackers. Penetration tests involve attempting to exploit these vulnerabilities and weaknesses to gain unauthorized access to sensitive data.
By conducting ongoing audits and penetration tests, organizations can proactively identify any potential security weaknesses or vulnerabilities that may exist within their systems and address them before they are exploited by attackers. This helps to ensure the security of personal data and demonstrate GDPR compliance.
Do you know who the Data Protection Supervisory Authority is in your country? Do you have the contact details?
Under GDPR, each EU member state is required to designate a Data Protection Supervisory Authority (DPSA) to oversee and enforce GDPR compliance within that country. The DPSA is responsible for ensuring that organizations comply with the GDPR, investigating complaints and breaches of GDPR, and imposing penalties for non-compliance.
It is important for organizations to know who their DPSA is and have their contact details readily available in case of any GDPR-related issues or concerns. The contact details for the DPSA can typically be found on the DPSA's website or through a simple online search.
To find out who your DPSA is and their contact details, you can visit the website of the European Data Protection Board (EDPB), which provides a list of all DPSAs in the EU and the contact details for each.
Does your organization have a process in place to notify the authorities and your data subjects (clients) in the event of a data breach?
Under GDPR, organizations are required to have a process in place to notify the authorities and data subjects (clients) in the event of a data breach. The purpose of this requirement is to ensure that individuals are informed of any breaches that may affect their personal data, and that appropriate action can be taken to mitigate any harm.
When a data breach occurs, organizations should conduct a prompt and thorough investigation to determine the scope and impact of the breach. If it is determined that the breach is likely to result in a risk to the rights and freedoms of individuals, the organization must notify the relevant Data Protection Supervisory Authority (DPSA) without undue delay, and no later than 72 hours after becoming aware of the breach.
The notification to the DPSA should include details of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to be taken to address the breach and mitigate any harm. In addition to notifying the DPSA, organizations must also notify the affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms. The notification to data subjects should include details of the nature of the breach, the likely consequences, and the measures taken or proposed to be taken to address the breach and mitigate any harm.
Does your organization have a designated person that’s responsible for GDPR compliance and management?
Under GDPR, organizations are required to appoint a Data Protection Officer (DPO) if they process large amounts of personal data or sensitive data on a regular basis, or if they are a public authority or body. The DPO is responsible for overseeing the organization's data protection activities and ensuring compliance with GDPR requirements.
Even if an organization is not required to appoint a DPO, it is still recommended to designate a person or team to be responsible for GDPR compliance and management. This person or team should have the necessary knowledge, skills, and authority to ensure that the organization is compliant with GDPR requirements and able to respond to any GDPR-related issues or concerns.
The responsibilities of the designated person/team may include:
Developing and implementing GDPR policies and procedures
Conducting data protection impact assessments
Managing data subject requests and complaints
Providing GDPR training and awareness to employees
Monitoring and auditing GDPR compliance
Reporting to senior management on GDPR compliance and risks
Does your organization have defined, updated and signed Data Protection Agreements (DPA) with all vendors that process/hold/save your client and/or any PII?
Under GDPR, organizations are required to have Data Protection Agreements (DPA) with any third-party vendors that process, hold or save personal data on their behalf. These agreements are necessary to ensure that the vendors are also compliant with GDPR requirements and that personal data is adequately protected.
A DPA is a legally binding document that outlines the responsibilities of the vendor in relation to data protection and sets out the terms and conditions for the processing of personal data. It typically includes clauses regarding data security, confidentiality, data protection breaches, and the vendor's obligations to cooperate with the organization in relation to GDPR compliance.
Can your clients request and receive all the data you have about them? Within one month for example, delivered in a secure/encrypted way.
Under GDPR, individuals have the right to request access to their personal data that is held by organizations. This is known as the right of access or the right to a subject access request (SAR). The SAR allows individuals to obtain a copy of their personal data and to check that the organization is lawfully processing their data.
As part of the SAR, organizations are required to provide the individual with a copy of their personal data within one month of receiving the request. The data must be provided in a secure and encrypted way to protect the individual's privacy.
To comply with the SAR requirements, organizations must have appropriate processes and systems in place to manage these requests and to respond to them in a timely manner. Failure to comply with SAR requests can result in significant fines and reputational damage for organizations.
Under GDPR, individuals have the right to request the rectification or correction of their personal data that is held by organizations. This means that individuals can request that their personal data be amended or updated if it is inaccurate, incomplete, or out of date.
To make a request for rectification, individuals must contact the organization holding their personal data and provide details of the specific information that needs to be corrected. The organization must then respond to the request within one month and take the necessary steps to rectify the data.
Under GDPR, individuals have the right to request the deletion of their personal data that is held by organizations. This is known as the right to erasure, or the "right to be forgotten".
Individuals can request the deletion of their personal data if:
The personal data is no longer necessary for the purpose it was collected
The individual withdraws their consent for the processing of their personal data
The personal data has been unlawfully processed
The personal data must be deleted in order to comply with a legal obligation
Organizations must respond to requests for erasure within one month and must take all reasonable steps to delete the personal data, unless there is a legitimate reason for retaining it (such as legal obligations).
Does your website/application have the option for clients/visitors to approve/decline the use of “Cookies”?
Under GDPR, websites and applications must obtain the explicit consent of visitors before using cookies, which are small text files that are stored on a user's device and used to track their activity and personalize their experience.
Websites and applications must provide visitors with clear and comprehensive information about the types of cookies used, their purpose, and how long they will be stored on the user's device. Visitors must also be given the option to approve or decline the use of cookies.
Organizations can obtain consent through a variety of methods, such as pop-ups, banners, or settings menus, but consent must be freely given, specific, informed, and unambiguous.
Does your organization have a mapping of all plugins, applications and code that collect user data/cookies on your website and within client-facing applications?
Under GDPR, organizations must have a clear understanding of all the plugins, applications, and code that collect user data or cookies on their website or within client-facing applications. This includes identifying all third-party services and vendors that may be processing personal data on behalf of the organization.
To ensure compliance with GDPR, organizations should conduct a comprehensive data audit to identify all the systems, processes, and tools that are used to collect and process personal data. This audit should include an inventory of all plugins, applications, and code that collect user data or cookies.
Once the inventory is complete, the organization can develop a data mapping exercise to identify where personal data is stored, who has access to it, and how it is processed. This will help the organization to understand the risks associated with the processing of personal data and to implement appropriate technical and organizational measures to protect user privacy.