GDPR Compliance checklist
Use this GDPR Compliance checklist to confirm you have all bases covered. You will find more details on each of the GDPR compliance checks by following the links within.
Table of contents
- 1. Assign a Privacy Coordinator
- 4. If you set cookies, use a cookie popup
- 5. Direct Marketing must mention the source and provide an opt-out
- 6. Maintain a GDPR Register
- 8. Are you using special category data?
- 9. Review security practices
- 10. Operationalise GDPR Rights
- 11. Privacy awareness training for all staff handling personal data
- 12. Breach reporting
- 13. International considerations
- GDPR compliance summary
1. Assign a Privacy Coordinator
Our first recommendation on our GDPR compliance checklist is to get someone on point when it comes to GDPR compliance.
For smaller firms, it is highly recommended to have a colleague or specialised external firm on point to organise the firm’s GDPR compliance without calling it a DPO (to avoid the stringent requirements that go with it). Small and medium sized firms often appoint a GDPR coordinator and the regulator encourages firms to do so. It brings focus to the efforts while also providing the firm with a single point of contact for the outside world to turn to in case of questions or challenges.
Only organisations that operate large scale processing of personal data are required to appoint a formal Data Privacy Officer (DPO). GDPR puts explicit requirements on the DPO function in order to safeguard its independence.
One of the core requirements to GDPR is the obligation to inform data subjects on the firm’s data usage and associated privacy position and arrangements. Only when those interacting with your firm are duly informed, they can make an informed decision as to whether or not they are willing to enter into business with your firm. Just copying and pasting a privacy statement from the internet is likely to cause more harm than good. GDPR requires your communications to be specific to the way the firm operates. Boilerplate or catch all statements, vague or overly complex legal jargon is explicitly stated as non-compliant in the GDPR regulation.
- Clear statement of responsibilities: who is the data controller, who is the data processor and who is your key contact for GDPR
- List the processes that touch personal data e.g. client intake, invoicing, staff remuneration, newsletter etc.
- For each of the processes make sure you capture its business purpose, its GDPR legal basis and the data items used. Also, outline how long you will retain the data.
- List the processes that share personal data and whom you share data with e.g. data you share with your accountant, IT support partner etc. or through the use of cloud platforms e.g. Facebook, Mailchimp, Stripe etc.
- If your firm uses social media, make sure to warn users that social media platforms process their personal data and mention your firm and the platform are likely to be considered joint data controller.
- List the GDPR data rights your users have and how they can exercise those
- State how users can contact you and if needed raise a complaint with the relevant authority. Do note that the regulator recommends you establish a dedicated communication channel for all privacy related matters. So avoid reusing firstname.lastname@example.org and set up a dedicated email@example.com mailbox.
4. If you set cookies, use a cookie popup
This fourth item is what a lot of people associate GDPR with, the dreaded cookie popups!
Cookies typically save information that can be attributed to you as an individual, in other words process your personal data. GDPR demands that all firms provide transparency on why and how your personal data is being used, and as a result, before firms can save a cookie they need to ask for your permission. These cookies might feel annoying but do give every one of us the opportunity to control what we allow and what not. We might for example not want to allow being tracked across the internet.
5. Direct Marketing must mention the source and provide an opt-out
This fifth item on our GDPR compliance checklist seems pretty straightforward but does require discipline to get right.
The first requirement here is to reveal the source of the personal information to the recipient. Either the personal data of the recipient was obtained directly from the recipient or indirectly from another source. Core to the GDPR regulation is your duty to inform and provide transparency around the processing of personal data, so the source of any personal data needs to be captured. This requires you to have the right processes and discipline in place to at all-time record the origin of personal information.
At the same time, direct marketing emails must offer recipients a way to opt-out of any such future communications in order to be compliant with GDPR requirements. This is typically achieved by adding an opt-out link or button at the bottom of the email so the recipient can unsubscribe from your mailing list. Most marketing platforms (e.g. Mailchimp) offer the opt-out functionality by default so it should be very easy for you to comply with this requirement. The harder part is to ensure that those individuals are no longer receiving those type of communications going forward. This requires you to have the right processes and discipline in place. Do note that users that have unsubscribed and subsequently still receive similar marketing communication might very well launch a complaint with the regulator. The regulator has already issued fines for failure to meet with this GDPR requirement!
Direct marketing has been a source of annoyance with many consumers and most national regulators have made great efforts to better inform and educate their audiences by publishing guidelines. So do check your national data privacy authority website for guidelines. As an example you can find the guideline here for Belgium.
6. Maintain a GDPR Register
This sixth item on our GDPR compliance checklist is one the regulator will ask for if they come knocking on your door.
GDPR requires all firms to maintain a ‘record of processing activities’, often referred to as GDPR Register. Your GDPR Register must contain a list of all processing your firm undertakes on any personal data. The personal data could be those of your customers, staff, suppliers, partners etc. and all should be included in the Register. You should maintain separate registers for those activities where you are the Data Controller and those where you are a data processor.
Do check your national data privacy authority website for guidelines on format of the register and information the be included.
Alternatively, you can join GDPRWise as you can generate your GDPR Register in a single click once you have validated the filled-in dossier we create based on your industry sector and country of registration.
This seventh item is often overlooked, but as GDPR related challenges often arise from broken off staff relationships, it should be firmly on your radar to get right.
8. Are you using special category data?
The eighth item on our GDPR compliance checklist makes it very clear that all data elements are not equal under GDPR.
Some data is particularly sensitive and as a result requires additional safeguards to ensure its protection. This Special Category Data covers items that:
- reveal racial or ethnic origin
- reveal political opinions
- reveal religious or philosophical beliefs
- reveal trade union membership
- is genetic data
- is biometric data
- is concerning an individual’s health
- is concerning an individual’s sexual orientation or activity
Because these data elements are particularly sensitive, a company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. Companies are prohibited from collecting or processing these data unless:
- Explicit consent has been obtained from the data subject; or,
- Processing is necessary in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection; or,
- Processing is necessary to protect the vital interests of data subjects where individuals are physically or legally incapable of giving consent; or,
- Processing is necessary for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health; or,
- For purposes of preventive or occupational medicine; or,
- Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes; or,
- Processing relates to personal data which are manifestly made public by the data subject; or,
- Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.
Personal data that relates to criminal offences and convictions aren’t included, but there are separate processing safeguards in place. GDPR Article 10 will give you more information on this.
9. Review security practices
Item number nine on our GDPR compliance checklist is a real headache for most large firms given their footprint, but for the small and medium sized firms this should be very doable.
No privacy without appropriate security measures. For example we are sure you will agree that you can not guarantee the privacy of your customers’ personal data if their data would be stored in an online file that is accessible without a username or password. In other words, privacy and security go hand in hand.
Important to note is that security is not one thing, but a collection of approaches, practices and measures that are only as strong as their weakest link. We have created a knowledge base item Data Security – what to consider for your benefit. The associated knowledge base items also include practical tips such as a list of questions you can put to your IT support partner.
When you are up to speed with the basics on data security you and your IT support partner are advised to leverage your GDPR register and to work through the list of systems being used. As a minimum you want to review the below aspects:
- Is the physical security appropriate?
Is the system in a physical location that is appropriately safe and secure? For any systems that are world-renowned cloud systems (e.g. Microsoft.com, Shopify.com) the answer is mostly Yes and evidenced by the security certifications they have obtained and published. For any systems your firm hosts, you want to make sure you have measures in place to ensure that only appropriate people can access the premises, office, shop server room, filing cabinet etc. For the inevitable paper documents most firms still hold, we have created a dedicated knowledge base item, Data Security for paper documents.
- Is the system & software security appropriate?
Do check out our dedicated knowledge item,Security for systems and software – principles to further explore this topic. There are a number of aspects you should review and measures you can apply. Some examples here: do all systems have the latest security patches applied? Do all systems have appropriate access control enforced? Where possible do you have two-factor authentication enabled? Does the system enforce strong passwords? Can we remove or hide data items we do not use in line with the GDPR data minimisation principle?
- Is data security appropriate?
For the SME there are two core aspects to check here: backups and data encryption. Confirm that systems are backed up and that those backups are in a safe place. At the same time, you want to test from time to time that a restore can successfully be executed. On the data encryption side, confirm that all personal data is encrypted both at rest and in transit. Do check out our dedicated knowledge base item, Data Security – what to consider? for more information.
- Are all measures regularly reviewed?
Your security defences need regular review and updates. This not only holds true for your equipment and infrastructure but also for the humans operating and using those. We want to emphasise the importance of not overlooking the human factor as it has been proven over and over again to be the weakest link in a security and privacy defence. You need to ensure that the right security & privacy habits are thought and applied in the day-to-day of your business. There are lots of online learning platforms that offer Security Awareness Training and Data Privacy Training at very affordable prices. Ensuring that all new joiners and all staff go through those training courses at least once a year is essential to running a secure and privacy compliant operation. It is recommended that you implement a code of conduct that includes security & privacy as well as other ethical business practices.
10. Operationalise GDPR Rights
This tenth check on our GDPR compliance checklist should be pretty straightforward to implement.
The GDPR regulation stipulates that data subjects now have rights that they can exercise with respect to the processing of their personal data. The most well-known ones are probably the right to access and the right to be forgotten. There are in fact 9 of those rights and they are outlined in our article GDPR Data Subject Rights.
11. Privacy awareness training for all staff handling personal data
In the data and technology space, the human factor is often overlooked. Make no mistake about it, this eleventh check in our GDPR compliance checklist is as important as any other item, if not more important.
Over and over the human has proven to be the weakest link in a security and privacy defence. You can implement the best security measures throughout but if a colleague clicks on a link in a malicious (phishing) email and unknowingly is taken to a fake website where his or her corporate login and password are stolen, your security defences are at risk. Similarly, it is by human mistake that a colleague puts all your customers in CC rather than in BCC or a colleague that by mistake sends a medical file to the wrong patient.
One needs to ensure that the right security & privacy habits are thought and applied in the day-to-day of your business. It is recommended that you implement a code of conduct that includes security & privacy as well as other ethical business practices. There are unsafe practices in most firms that can easily be addressed through awareness training. We have created a dedicated knowledge base item on the topic Data Security – the human factor.
12. Breach reporting
The regulator feels very strongly about this twelfth item on our GDPR compliance checklist and it has resulted in quite a number of fines where firms where found not to be in compliance.
First of all, do note that a breach is not limited to a hacker breaching your network. A breach of security is any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data be it when stored, transmitted or otherwise processed. So a colleague sending a financial report to the wrong client is also a breach, so is a colleague losing a USB stick which contained personal data or someone accidentally deleting personal data.
All breaches need to be logged internally in a data breach log that needs to be maintained by your company. Some breaches need to be reported to the regulator and potentially even to those individuals affected by the breach. See our knowledge base item dedicated to the data breach topic.
13. International considerations
This thirteenth item on our GDPR compliance checklist is relevant to two types of firms: those based outside the EU but serving the EU market and those with activities in more than one EU member state. Those with touchpoints to Brexit might want to pay attention as well.
Article 27 of the GDPR Regulation requires any firm based outside the EU but serving the EU market to have an EU based representative. In other words, those firms need an EU based Data Rep. The most cost-effective way for SME firms is likely to procure an Data Rep service from a number of commercial offerings out in the market or approach a EU based law firm to fulfil this role.
For those firms with data processing activities in more than one EU member state, the GDPR Regulation states that the national authority that will take the lead in any GDPR matters is determined according to where your firm has its main administration or where decisions about data processing are made.
At the time of writing Brexit is only one month in and the withdrawal agreement stipulates a maximum 6 month grace period where nothing changes. If and when there is an update this check will be updated.
GDPR compliance summary
GDPR compliance might sound scary, but trust us, it is not that hard. It does require some dedication to the topic. After all privacy is a human right and you as much as anyone else want organisations to treat your personal data with the care it deserves.
The information provided here is not legal advice and can not replace legal counsel for your specific needs. Some information outlined might not apply to you or apply very differently. Please consult with your legal counsel in ensuring you meet your legal obligations.