09 May GDPR Checklist
The GDPR is an EU regulation that will come into effect from 25 May 2018. The new directive aims to ensure that organisations have policies and procedures put in place to protect the data of EU citizens. Below is a checklist that is designed to assist organisations in complying with the GDPR.
Awareness
All employees, whether they are IT staff, executives, general administrators, consultants, sales and marketing executives, human resource managers, and of course, compliance officers, must be aware of what the GDPR requirements are, and the potential consequences, should they fail to comply.
Analysis of Personal Data
Make a list of all sensitive data you store and process, and ask the following questions:
Why are you storing the data?
Where did you get the data from?
What was the reason for obtaining the data?
How long will you store the data?
How secure is the data?
Is the data encrypted?
Is the data accessible?
Will you be sharing the data with third-parties?
What is the purpose of sharing the data?
Communications
Communicate clearly with both service users and staff members. Invest time in developing a clear and intuitive privacy notice which will alert users about why you are collecting the data, and what you plan to do with the data.
Review Procedures
Ensure that you have a suitable privacy policy in place. Review the policy to ensure that all user rights are accounted for, including how the data is processed and removed.
Access Rights
Make a list about what access rights should be granted, and to who those access rights relate to. Put a plan together detailing how a change in access rights should be handled.
Check the Small Print
Make sure that you carefully read and understand the GDPR small print. You will need to use this understanding to be able to identify the legalities associated with the types of data you store and process.
Customer Consent
You will need to make sure that your users have given their full consent to process their data, in the way defined by your privacy policy. You will need a clear record that users have consented to the way in which their data is acquired, stored, and processed.
Children’s Data
If you are processing information that belongs to children, you must consider whether the child is mature enough to understand, and thus agree with, the terms of your organisation’s privacy policy. You with need to verify the subject’s age before processing their information, or gather consent from the child’s parents/guardians.
Data Breaches
You must implement a procedure for handling data breaches. You must be able to detect, report and investigate any breaches that occur.
Impact assessments
Under the GDPR, it is a mandatory requirement for organisations to carry out a data protection impact assessment (DPIA) – a process for determining the potential impact that an assignment may have on data privacy. The process requires the organisation to analyse the “origin, nature and severity” of the risk to data subject’s privacy rights.
Data Protection Officers (DPO’s)
Under the GDPR, any organisation that stores and processes public data, must hire a DPO. The role of the DPO is to implement data protection policies, audit data processing operations, and ensure that all staff members are fully trained to comply with the GDPR, as well as deal with enquiries.
Sorry, the comment form is closed at this time.