So, the deadline for GDPR is just about upon us. We’d humbly suggest any big IT projects needed to ensure you comply should be complete by now. But there are still a few last minute things that are worth reviewing. And we thought it would be handy to give you a bit of a checklist to rattle through before May 25th bears down upon us all.
What are the fundamentals to always bear in mind?
Accountability
GDPR is primarily focused on putting the onus on entities to protect the personal data they store and use. For that onus to be meaningful, however, the regulations set out that an entity has to also be able to prove they are protecting it. This means:
- Keeping records of all processing activities
- Detailing reasons for each process
- Being able to show the relevant security and confidentiality processes are in place
Are you now able to show accountability?
Impact assessment
One of the methods of illustrating you take your accountability seriously is via Data Protection Impact Assessments (DPIA’s). For every data processing activity that takes place in your organisation that could impact on the privacy of an individual, you need to carry out a DPIA. And then make adjustments to your operation according to the outcome of that assessment.
Do you have a DPIA process in place?
Privacy by design
Privacy by design is the mantra of GDPR. Protection of an individual’s privacy has to be the foundation stone of every new process, procedure, and system change. This means the volume of data, storage of data, and use of data all have to be minimised where possible, as well as be consented to and secure. Plus, any automatic profiling that may take place perhaps via cookies that track, analyse and predict an individual’s interests or activities needs to be compliant.
Does your organisation now have a culture of privacy by design?
Data security
If privacy by design is the foundation stone of GDPR, security is one of its key components. If you don’t handle personal data securely on every level you will never be compliant. Rigorous cybersecurity, regular workforce training, and an embedded culture of data protection, is key to ensuring your data security policies and actions are successful.
Is all your data now secure?
ACTION CHECKLIST
Have you carried out a final personal data audit?
You’ll know by now that for the purposes of GDPR ‘personal data’ is any information that relates to a living Individual. That’s quite broad, and it includes noted opinions as well as facts. So you need to know what you hold to be able to meet your accountability obligations and be compliant.
Do you know what data you hold and where?
Have you done a final review of your third party contracts?
The focus here is on agreements you have with suppliers, contractors, or data processing third parties you share information with. Are they up to speed with this checklist too? Because if they aren’t, you may need to put a hold on sharing data with them.
Are data processing third parties with you on this GDPR curve?
Have you completed a final review of your data protection and privacy policies?
Your data protection and privacy policies (often displayed on a company’s website) need to be GDPR compliant. What was acceptable before will no longer be good enough come the end of May.
Are your policies compliant?
Have you ensured relevant personnel are aware of their responsibilities?
Do all members of staff who process data, or who control data, understand their role in achieving GDPR compliance? This is on both a legal and operational level. Check, and evidence that check. Plus, certain organisations are going to need to have an appointed data protection officer. If your company processes large amounts of sensitive data, this is certainly the case. Check, and put one in place if required.
Do you have the right personnel in place?
Overall, can you demonstrate compliance?
At the end of the day, if your set up is compliant, and you can demonstrate this compliance, then you’re done… with the preparation. You can pat yourself on the back. Mind you, you can’t now just relax and let it all happen, of course, because that’s not what GDPR is about, it’s about achieving and maintaining compliance.
