GDPR Compliance Checklist
Have you already heard the abbreviation – GDPR? It seems to be a new buzzword floating around the business world, but what does it mean?
The definition in Wikipedia says that the General Data Protection Regulation (GDPR) (EU) 2016/679 is “a regulation in EU law on data protection and privacy for all individuals within the European Union”. The Regulation refers both to the use of personal data inside the EU and the export of personal data of EU residents outside the union.
The primary aim of the GDPR is to return control over their personal data back to citizens and residents. Another aim is to unify the data protection regulation within the EU and, thus, to simplify the regulatory environment for international business. The GDPR takes effect on May 25, 2018 and will replace the outdated 1995 Data Protection Directive (Directive 95/46/EC).
What Will Be the Impact of the New General Data Protection Regulations (GDPR)?
The new Regulation requires GDPR compliance from companies not only located within the EU, but also from the ones located outside the EU which process and hold personal data of EU residents, even if those companies don’t have a business presence in the EU.
Do you remember the recent Facebook scandal which hit 87 million users of this network and led to the collapse of public trust in it? The BBC has been told that about 1.1 million of them who are UK-based. Another media source, The Guardian supposes this data-mining scandal is a symptom, but not a cause of the problems. The problem is that today’s digital world needs to tighten up controls over personal data, which is ultimately the aim of GDPR.
The GDPR itself includes 11 chapters and 91 articles setting out the rights of individuals and obligations placed on organizations covered by the regulation. The key GDPR compliance requirements concerning data protection include:
The consent of subjects is required for data processing
Collected data must be anonymized to protect privacy
Data breaches must be notified in a very short time period
Safe handling of data across borders
Certain companies are required to appoint a data protection officer to control GDPR compliance
What Type of Privacy Data Is Protected by GDPR?
The official web site eugdpr.org says that personal data includes “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address”. According to CSO, the new Regulation protects both personal and sensitive personal data:
Basic identity information such as name, address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Health and genetic data
Racial or ethnic data
Political opinions and religious views
Trade union membership
What Is GDPR Compliance in Specific Numbers?
28 EU States will have identical laws with unified standards.
7 Core Data Subjects Rights are protected under GDPR, including the right to be informed, right of access, right to rectification, right to erasure (also known as the right to be forgotten), right to restrict processing, right to data portability and right to object (Articles 17 & 18).
2-4 Percent of a company’s total global turnover (or 10 or 20 million euros, whichever is greater) can reach potential fines for non-compliance with GDPR (Article 79).
72 Hours are given to notify EU authorities of a data breach, including associated details.
27k DPOs (or Data Protection Officers) are needed - this is the estimated number just for Europe, as Article 35 of the Regulation requires that certain companies appoint data protection officers. Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance. DPOs also are required to report to Supervisory Authorities (SA) and data subjects. Taking into account possible conflicts of interests, IT specialists and marketing staff aren’t the best choices for DPO.
150+ Requirements included in GDPR refer to governance, policies, processes, and technology.
1 Opportunity to improve your company personal data management practices and policies and to make your customers feel safer and more protected.
What Will Be the Impact of GDPR on the Digital World?
As we already mentioned, the GDPR replaces the 1995 Data Protection Directive which was adopted long before the Internet became a real online business hub. It is obvious that the outdated directive cannot address all the ways the data is stored, collected and transferred currently.
The new regulation impacts almost every company in the world dealing with personal data of EU citizens. Thus GDPR compliance for US companies is also required. It should be mentioned that to become a GDPR compliant company is more than a matter of checking the possibilities and ticking a few boxes in a checklist. The Regulation requires compliance with its data processing principles, to name a few – a risk-based approach to data protection, appropriate policies and procedures in place necessary to maintain the transparency, accountability and individual rights provisions.
What Does It Mean for U.S. Companies?
They will have to change the way they process, store, and protect personal customer data. The key distinction of new regulation is that companies will be allowed to store and process personal data only upon getting consent from individuals. At that, according to EUGDPR.org, “the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.” Moreover, the companies now are allowed to store personal data no longer than is necessary for the purposes for which the personal data are processed.
The Regulation also provides the data portability requirement, that means the right of a data subject to receive his/her personal data, which have been previously provided in a 'commonly use and machine readable format.' This also means that a data subject has the right to transmit that data to another personal data controller. In simple words, personal data must be portable from one company to another and it must be erased upon request.
You should take into account that there are some exceptions from the right to be forgotten, some of them refer to healthcare industry as GDPR does not supersede requirements imposed by law to maintain certain data, including HIPAA requirement concerning health records.
To facilitate the preparation for the new Regulation which comes into effect very soon a GDPR compliance checklist would be very helpful.
Checklist for GDPR Compliance
How can you check if your company must comply with the GDPR? European ICO (Information Commissioner’s Office) has created a 12-step guide which can help a company seniors to get prepared for the GDPR enforcement.
In short this guide recommends to:
1. Learn about the GDPR and make all stakeholders aware of the new rules. The stakeholders should include not only IT personnel, but also marketing, finance, sales, operations departments, every part of the company that collects, analyzes, or otherwise makes use of personal information provided by customers.
2. Access the information your company holds and the risks related to it. Outline the measurements to mitigate the risk and uncover any shadow IT which can collect or store personal data of EU citizens.
3. Review privacy notices to make them compliant with the consent requirements of the Regulation.
4. Check the procedures used by your companies to make sure they take into account all the individual rights provided by GDPR.
5. Check if your procedures comply with the time frames provided by GDPR for notices. Do you still remember the 72-hour rule?
6. Check your lawful basis for processing personal data. Remember the consent by default doesn’t work any more! According to itgovernance.eu web site, you can collect and process data on the following legal grounds: a contract with the individual; compliance with a legal obligation; vital interests; a public task or legitimate interests.
7. Check all procedures and requests relating to consent. Make the consent forms you use compliant with GDPR requirements.
8. Check the consent requirements for children. Check if you need to verify the age of data subjects and obtain parental or guardian consent for data processing.
9. Check if you have the necessary tools to identify, report and investigate data breaches.
10. Check if your data protection system is in line with a privacy-by-design approach.
11. Appoint Data Protection Officer(s) responsible for data protection compliance.
12. If your company operates in more than one EU state, determine your lead data protection supervisory authority for reporting purposes.
Of course, if you need help, find a reliable partner or an outsource company to help you with the preparations for GDPR.
The professionals of Archer Software will gladly provide you advice and technical expertise to help you through the process and streamline the compliance preparation process. You can contact us 24/7 to get professional advice and outline the technical requirements you need to ensure compliance with GDPR requirements.