GDPR Compliance checklist

Use this GDPR Compliance checklist to confirm you have all bases covered. You will find more details on each of the GDPR compliance checks by following the links within.

GDPR Compliance Checklist

Table of contents

1. Assign a Privacy Coordinator

Our first recommendation on our GDPR compliance checklist is to get someone on point when it comes to GDPR compliance.

For smaller firms, it is highly recommended to have a colleague or specialised external firm on point to organise the firm’s GDPR compliance without calling it a DPO (to avoid the stringent requirements that go with it). Small and medium sized firms often appoint a GDPR coordinator and the regulator encourages firms to do so. It brings focus to the efforts while also providing the firm with a single point of contact for the outside world to turn to in case of questions or challenges.

Only organisations that operate large scale processing of personal data are required to appoint a formal Data Privacy Officer (DPO). GDPR puts explicit requirements on the DPO function in order to safeguard its independence.

Read more about this in the following article by clicking this link.

2. Have a privacy policy tailored to your firm

The second must-do on our GDPR compliance checklist is to have an appropriate privacy policy. Without it, you are definitely not GDPR compliant.

One of the core requirements to GDPR is the obligation to inform data subjects on the firm’s data usage and associated privacy position and arrangements. Only when those interacting with your firm are duly informed, they can make an informed decision as to whether or not they are willing to enter into business with your firm. Just copying and pasting a privacy statement from the internet is likely to cause more harm than good. GDPR requires your communications to be specific to the way the firm operates. Boilerplate or catch all statements, vague or overly complex legal jargon is explicitly stated as non-compliant in the GDPR regulation.

In short, give privacy the attention it deserves and do it properly. Make sure your privacy policy covers at a minimum the below items:

  1. Clear statement of responsibilities: who is the data controller, who is the data processor and who is your key contact for GDPR
  2. List the processes that touch personal data e.g. client intake, invoicing, staff remuneration, newsletter etc.
  3. For each of the processes make sure you capture its business purpose, its GDPR legal basis and the data items used. Also, outline how long you will retain the data.
  4. List the processes that share personal data and whom you share data with e.g. data you share with your accountant, IT support partner etc. or through the use of cloud platforms e.g. Facebook, Mailchimp, Stripe etc.
  5. Make sure your privacy policy and the processes within cover your online / digital interactions e.g. quote request form as well as your in-store / office interactions e.g. in-store loyalty card.
  6. If your firm uses social media, make sure to warn users that social media platforms process their personal data and mention your firm and the platform are likely to be considered joint data controller.
  7. List the GDPR data rights your users have and how they can exercise those
  8. State how users can contact you and if needed raise a complaint with the relevant authority. Do note that the regulator recommends you establish a dedicated communication channel for all privacy related matters. So avoid reusing info@mycompany.com and set up a dedicated privacy@mycompany.com mailbox.

Last but not least, publish your privacy policy as a top-level link on your website, for example in the footer of your website. Make sure the link is visible from all pages. Do not hide your privacy policy in any terms & conditions document as GDPR requires it to be directly and prominently visible.

If this all sounds a bit too much, do know that GDPRWise has made it really fast and easy for you to get an appropriate privacy policy. GDPRWise has done the hard work for you by creating very specific filled-in dossiers tailored to your industry sector. We have done 80% of the work, you just have to validate and refine.

3. Reference your privacy policy in all your communications

The third must-do on our GDPR compliance checklist is to leverage the work you have invested in creating your privacy policy by putting it to good work in all your communications.

Just having a good privacy policy published on your website is not good enough. You also need to clearly reference your privacy policy in each communication. For digital communications, you should add a footer to your emails and marketing / newsletter communications. Make reference to your privacy policy in your quotes, adverts, social media pages, terms & conditions and other contracts. In case of an employment contract make sure you have a specific staff privacy policy and add it as an addendum (also see below).

Companies have been fined for merely referencing their website and not explicitly referencing their privacy policy. If you are in doubt how to create a footer, ask your IT support partner.

GDPR Requirements Checklist

4. If you set cookies, use a cookie popup

This fourth item is what a lot of people associate GDPR with, the dreaded cookie popups!

Cookies typically save information that can be attributed to you as an individual, in other words process your personal data. GDPR demands that all firms provide transparency on why and how your personal data is being used, and as a result, before firms can save a cookie they need to ask for your permission. These cookies might feel annoying but do give every one of us the opportunity to control what we allow and what not. We might for example not want to allow being tracked across the internet.

As a website owner, you should reflect as to whether you could not do without cookies. Do not just have cookies because your website came with those cookies, or because most other websites seem to use cookies to track visitors. Our own website, GDPRWise.eu does not have any cookies. Privacy is a serious matter (and a human right mind you..) so make a well informed and conscious decision about it. Our knowledge base can help here.

If you have cookies, you will need to inform your visitors BEFORE setting / saving any. The visitor needs to be informed in plain language and you need to ensure unambiguous consent is received before proceeding. There are plenty of tools out there to provide you with a cookie banner or popup but do make sure you test your website that : (1) NO cookies are set before the user has been informed and can communicate his or her choices; and (2) only those cookies are set that the user has agreed to. As part of your duty to inform the visitor, it is recommended to have a cookie policy document that outlines which cookies are being used and how that affects users. Additionally, you should inform the user how he or she can revoke any consent given and remove any set cookies.

5. Direct Marketing must mention the source and provide an opt-out

This fifth item on our GDPR compliance checklist seems pretty straightforward but does require discipline to get right.

The first requirement here is to reveal the source of the personal information to the recipient. Either the personal data of the recipient was obtained directly from the recipient or indirectly from another source. Core to the GDPR regulation is your duty to inform and provide transparency around the processing of personal data, so the source of any personal data needs to be captured. This requires you to have the right processes and discipline in place to at all-time record the origin of personal information.

At the same time, direct marketing emails must offer recipients a way to opt-out of any such future communications in order to be compliant with GDPR requirements. This is typically achieved by adding an opt-out link or button at the bottom of the email so the recipient can unsubscribe from your mailing list. Most marketing platforms (e.g. Mailchimp) offer the opt-out functionality by default so it should be very easy for you to comply with this requirement. The harder part is to ensure that those individuals are no longer receiving those type of communications going forward. This requires you to have the right processes and discipline in place. Do note that users that have unsubscribed and subsequently still receive similar marketing communication might very well launch a complaint with the regulator. The regulator has already issued fines for failure to meet with this GDPR requirement!

Do note that if you use a marketing platform, you are in effect sharing some personal information (e.g. personal email address, names etc.) of your marketing audience with the marketing platform. So do add the marketing platform as a third party in the section of your privacy policy that outlines data sharing of personal data.

Direct marketing has been a source of annoyance with many consumers and most national regulators have made great efforts to better inform and educate their audiences by publishing guidelines. So do check your national data privacy authority website for guidelines. As an example you can find the guideline here for Belgium.

6. Maintain a GDPR Register

This sixth item on our GDPR compliance checklist is one the regulator will ask for if they come knocking on your door.

GDPR requires all firms to maintain a ‘record of processing activities’, often referred to as GDPR Register. Your GDPR Register must contain a list of all processing your firm undertakes on any personal data. The personal data could be those of your customers, staff, suppliers, partners etc. and all should be included in the Register. You should maintain separate registers for those activities where you are the Data Controller and those where you are a data processor.

Do check your national data privacy authority website for guidelines on format of the register and information the be included.

Alternatively, you can join GDPRWise as you can generate your GDPR Register in a single click once you have validated the filled-in dossier we create based on your industry sector and country of registration.

7. Have a staff privacy policy

This seventh item is often overlooked, but as GDPR related challenges often arise from broken off staff relationships, it should be firmly on your radar to get right.

The GDPR requirements and its ruleset cover personal data processing across all data subjects not just your customers. Each firm that does have staff on its payroll or indirectly through contracting independent staffers, will be holding personal data in order to onboard, compensate, evaluate, train, insure etc. those individuals. The personal data being processed typically very much differs from what is being processed about your customers. As a result, it makes sense to have a dedicated staff privacy policy in order to comply with the GDPR requirement to inform your staff on data you process and associated privacy and security arrangements.

As with your customer privacy policy GDPRWise can make this a quick and easy process as we have done the hard work for you already and created specific industry sector profiles that give you most of the answers already.

8. Are you using special category data?

The eighth item on our GDPR compliance checklist makes it very clear that all data elements are not equal under GDPR.

Some data is particularly sensitive and as a result requires additional safeguards to ensure its protection. This Special Category Data covers items that:

  • reveal racial or ethnic origin
  • reveal political opinions
  • reveal religious or philosophical beliefs
  • reveal trade union membership
  • is genetic data
  • is biometric data
  • is concerning an individual’s health
  • is concerning an individual’s sexual orientation or activity

Because these data elements are particularly sensitive, a company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. Companies are prohibited from collecting or processing these data unless:

  • Explicit consent has been obtained from the data subject; or,
  • Processing is necessary in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection; or,
  • Processing is necessary to protect the vital interests of data subjects where individuals are physically or legally incapable of giving consent; or,
  • Processing is necessary for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health; or,
  • For purposes of preventive or occupational medicine; or,
  • Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes; or,
  • Processing relates to personal data which are manifestly made public by the data subject; or,
  • Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.

Personal data that relates to criminal offences and convictions aren’t included, but there are separate processing safeguards in place. GDPR Article 10 will give you more information on this.

9. Review security practices

Item number nine on our GDPR compliance checklist is a real headache for most large firms given their footprint, but for the small and medium sized firms this should be very doable.

No privacy without appropriate security measures. For example we are sure you will agree that you can not guarantee the privacy of your customers’ personal data if their data would be stored in an online file that is accessible without a username or password. In other words, privacy and security go hand in hand.

Important to note is that security is not one thing, but a collection of approaches, practices and measures that are only as strong as their weakest link. We have created a knowledge base item Data Security – what to consider for your benefit. The associated knowledge base items also include practical tips such as a list of questions you can put to your IT support partner.

GPDR Privacy Policy and Data Security Review

When you are up to speed with the basics on data security you and your IT support partner are advised to leverage your GDPR register and to work through the list of systems being used. As a minimum you want to review the below aspects:

    • Is the physical security appropriate?

Is the system in a physical location that is appropriately safe and secure? For any systems that are world-renowned cloud systems (e.g. Microsoft.com, Shopify.com) the answer is mostly Yes and evidenced by the security certifications they have obtained and published. For any systems your firm hosts, you want to make sure you have measures in place to ensure that only appropriate people can access the premises, office, shop server room, filing cabinet etc. For the inevitable paper documents most firms still hold, we have created a dedicated knowledge base item, Data Security for paper documents.

    • Is the system & software security appropriate?

Do check out our dedicated knowledge item,Security for systems and software – principles to further explore this topic. There are a number of aspects you should review and measures you can apply. Some examples here: do all systems have the latest security patches applied? Do all systems have appropriate access control enforced? Where possible do you have two-factor authentication enabled? Does the system enforce strong passwords? Can we remove or hide data items we do not use in line with the GDPR data minimisation principle?

    • Is data security appropriate?

For the SME there are two core aspects to check here: backups and data encryption. Confirm that systems are backed up and that those backups are in a safe place. At the same time, you want to test from time to time that a restore can successfully be executed. On the data encryption side, confirm that all personal data is encrypted both at rest and in transit. Do check out our dedicated knowledge base item, Data Security – what to consider? for more information.

    • Are all measures regularly reviewed?

Your security defences need regular review and updates. This not only holds true for your equipment and infrastructure but also for the humans operating and using those. We want to emphasise the importance of not overlooking the human factor as it has been proven over and over again to be the weakest link in a security and privacy defence. You need to ensure that the right security & privacy habits are thought and applied in the day-to-day of your business. There are lots of online learning platforms that offer Security Awareness Training and Data Privacy Training at very affordable prices. Ensuring that all new joiners and all staff go through those training courses at least once a year is essential to running a secure and privacy compliant operation. It is recommended that you implement a code of conduct that includes security & privacy as well as other ethical business practices.

10. Operationalise GDPR Rights

This tenth check on our GDPR compliance checklist should be pretty straightforward to implement.

The GDPR regulation stipulates that data subjects now have rights that they can exercise with respect to the processing of their personal data. The most well-known ones are probably the right to access and the right to be forgotten. There are in fact 9 of those rights and they are outlined in our article GDPR Data Subject Rights.

Apart from the requirement to list the data right in your privacy policy, your firm of course also needs to operationalise those. In other words when any customer would ask to be forgotten and have his or her data removed, that you have the processes and capabilities in place to remove (or anonymise) the data. If in doubt, or when one rather wants to outsource this aspect, many firms offer these Privacy Coordinator related services at typically affordable rates.

11. Privacy awareness training for all staff handling personal data

In the data and technology space, the human factor is often overlooked. Make no mistake about it, this eleventh check in our GDPR compliance checklist is as important as any other item, if not more important.

Over and over the human has proven to be the weakest link in a security and privacy defence. You can implement the best security measures throughout but if a colleague clicks on a link in a malicious (phishing) email and unknowingly is taken to a fake website where his or her corporate login and password are stolen, your security defences are at risk. Similarly, it is by human mistake that a colleague puts all your customers in CC rather than in BCC or a colleague that by mistake sends a medical file to the wrong patient.

One needs to ensure that the right security & privacy habits are thought and applied in the day-to-day of your business. It is recommended that you implement a code of conduct that includes security & privacy as well as other ethical business practices. There are unsafe practices in most firms that can easily be addressed through awareness training. We have created a dedicated knowledge base item on the topic Data Security – the human factor.

12. Breach reporting

The regulator feels very strongly about this twelfth item on our GDPR compliance checklist and it has resulted in quite a number of fines where firms where found not to be in compliance.

First of all, do note that a breach is not limited to a hacker breaching your network. A breach of security is any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data be it when stored, transmitted or otherwise processed. So a colleague sending a financial report to the wrong client is also a breach, so is a colleague losing a USB stick which contained personal data or someone accidentally deleting personal data.

All breaches need to be logged internally in a data breach log that needs to be maintained by your company. Some breaches need to be reported to the regulator and potentially even to those individuals affected by the breach. See our knowledge base item dedicated to the data breach topic.

13. International considerations

This thirteenth item on our GDPR compliance checklist is relevant to two types of firms: those based outside the EU but serving the EU market and those with activities in more than one EU member state. Those with touchpoints to Brexit might want to pay attention as well.

Article 27 of the GDPR Regulation requires any firm based outside the EU but serving the EU market to have an EU based representative. In other words, those firms need an EU based Data Rep. The most cost-effective way for SME firms is likely to procure an Data Rep service from a number of commercial offerings out in the market or approach a EU based law firm to fulfil this role.

For those firms with data processing activities in more than one EU member state, the GDPR Regulation states that the national authority that will take the lead in any GDPR matters is determined according to where your firm has its main administration or where decisions about data processing are made.

At the time of writing Brexit is only one month in and the withdrawal agreement stipulates a maximum 6 month grace period where nothing changes. If and when there is an update this check will be updated.

GDPR compliance summary

GDPR compliance might sound scary, but trust us, it is not that hard. It does require some dedication to the topic. After all privacy is a human right and you as much as anyone else want organisations to treat your personal data with the care it deserves.

So go through our GDPR compliance checklist and first of all, make sure you create the required documentation. Start with your GDPR register as that listing will allow you to document a privacy policy that accurately reflects the way your organisation processes personal data. These documents combined allow you to inform your customers (and any other data subjects you might have) and as a result comply with the GDPR requirements to provide transparency. Subsequently you can use your GDPR Register to review your security practices for each of the processes and improve where needed. Last but not least you want to make sure you operationalise the GDPR data subject rights, so you can respond to any requests.

Disclaimer
The information provided here is not legal advice and can not replace legal counsel for your specific needs. Some information outlined might not apply to you or apply very differently. Please consult with your legal counsel in ensuring you meet your legal obligations.