The General Data Protection Regulation (GDPR) requires compliance. It accounts for all the data protection responsibilities that your organisation needs to consider. It is essential to consider all aspects of the GDPR and be able to understand your role in it. It will impact those who are controllers of data and those who are processors of data. Here is a vital GDRP checklist to help understand the compliance needed for customers or prospects.
Your GDPR checklist
1. Conduct a data audit
It is important to be fully aware of the way data is used in and around your business. Information audits are a way of gaining in-depth knowledge about data, and how you can identify risks. The risks may include; how, how long, and where information is held or transferred. It can also categorise the data and determine any sensitive information. Think of it like producing a map of data flows and highlighting strengths and weaknesses that help your business.
2. Keep a record
Keeping a record of the data is crucial. There needs to be well-maintained reports detailing processing activities. This will allow GDPR compliance to be managed efficiently. Completing an Information Asset Register is wise. This details the assets, what they do, locations, owners, access, retention, and other aspects of data protection.
3. Understand the law
Be aware of the lawful basis of the personal data that you process. The majority of the legal basis for processing data requires the process to be deemed necessary. If you can achieve the job without processing the data, then it is not considered a necessity. If the purpose of handling the data changes, make sure this complies with the regulation.
4. Ensure consent
Make sure you know the consent process, and how you request permission. Consent is vital as it is a legal requirement. The permission for data needs to be obvious, clear, and in a place that is apart from your terms and conditions. Consent must be via an affirmative opt-in method, and easy to understand. The individuals whose data you are handling need to know precisely what will happen to it and that withdrawal is allowed at any time.
5. Make withdrawing records easy
Keep records of consent helps to meet high GDPR standards. Records will often have to include how you obtain consent, and when. As well as this, organisations should implement regular reviews of approval to make sure it is still appropriate. It should be easy to withdraw consent, and you should act on withdrawals promptly. No one should feel as though he or she cannot remove consent.
6. Show your commitment to privacy
Privacy notices should be prominent, and readily available. This allows the individual whose information is being controlled to know who has their data, why, and what will happen to it. Privacy notices need to be in a language any individual can understand, and in a place that is easily accessible.
The responses to queries about data protection need to be met quickly and have a procedure to deal with it in motion. It is recommended to have timescales for responses, and training for staff to be able to manage responses and meet the needs of the data owner.
7. Data disposal
Allow for a method of removal and deletion. Make sure that there is a process in motion for the elimination of information when the time for retaining the records is over. It is helpful to set up a procedure for information deletion requests, and those who will assist in the disposal of the data. The contract must include measures for this.
8. Review your policy
Your business must hold, monitor and review a thorough data protection policy. This will allow for security maintenance, and whether the policy is being implemented efficiently. The plan needs to be managed, published, and distributed to all of its staff. It will need to be reviewed to make sure it is still relevant and is still an effective policy.
9. Perform a DPIA
As well as your policy, you should review your data collection and storage. This will identify ways of reducing the amount of data that needs collecting and processing. This may also include a review of how the process takes place, and if any features of the process need to be updated, or anything that requires further analysis. Performing a Data Protection Impact Assessment (DPIA) will help minimise the privacy risks that could you could avoid during processing unnecessary information. Hefty fines can be a result of a poorly conducted DPIA.
10. Appoint a DPO
Assign a Data Protection Officer (DPO), and train staff in the necessary aspects of the GDPR. The DPO will have to have communication with the businesses Information Commission Officer (ICO). This individual will be responsible for the designation of data protection accountability.
Awareness of information security must be upheld at all times, with careful consideration of all aspects of risk. This will include issues such as data sharing abroad, such as in and around the European Economic Area. Not only this but reviewing and managing the security within the technology itself.
Get your checklist ticked
If your business needs support with getting GDPR off the ground, then speak to the experts at Cyan Solutions who can help to prepare your business and help you to achieve GDPR compliance. For friendly, professional advice, get in touch with the team today.