The GDPR Compliance Checklist
If you are looking to improve your GDPR compliance, reading this checklist will help you achieve all your GDPR goals.
It all starts by understanding the concept of controller and processor. Controllers and processors are different organizations that focus on providing diverse storage and processing functions for personal data. If an organization plans to store or process personal information, we call it the controller organization. On the other hand, if an organization focuses on providing a system with users and data collection procedures for multiple legitimate purposes, it is a processor organization.
In the upcoming lines, we will use processor and controller terms consistently, which will help you better understand this GDPR compliance checklist.
In simple words, while using the GDPR checklist, you have to understand what your role is. For example, if you are a data controller, you determine where the data is processed. If you are a data processor, you are responsible for storing and processing data for someone else. However, if you are a data subject, it means you are the individual whose data is being processed or stored.
Reminder: What Is GDPR?
General Data Protection Regulation (GDPR) is the European regulation that has a set of individual data protection rules and directly regulates how information should be collected and processed by companies, organizations, and individuals.
The critical aspect of GDPR is that it has an overarching scope. It transcends borders and directly regulates company websites all across the European Union. If an organization wants to protect personal information to the highest extent, they must comply with the rules and regulations set forth in the GDPR.
The key point of GDPR is the consent of individuals whose personal data needs to be used, collected, or disclosed for particular organizational purposes.
Your GDPR Compliance Checklist
1. DATA (Applies to Data Processors and Data Controllers
- Companies should keep complete personal information records that includes the source of the data, who the data is shared with, how the data is processed, and how long the data will be held.
- Companies must record every detail about the places or areas it decides to keep the personal information. Moreover, companies should also disclose how data flows between them.
- Companies must have a publicly accessible privacy policy that contains every process involved in processing of personal data.
- The privacy policy should have logical and legal reasons why the company requires the personal information of the particular individual.
2. ACCOUNTABILITY and MANAGEMENT (Applies to Data Processors and Data Controllers)
- An agency, company or organization should have a Data Protection Officer (DPO).
- Every staff member within an organization should have detailed knowledge about the guidelines given in the GDPR.
- Each company or organization should ensure that its technical security is up to date.
- Staff members should have proper awareness regarding the data protection rules that need to be implemented within their organization or company.
- Each company should have a complete list of sub-processors and a detailed policy on using this sub-processor.
- If your company has operations within the territory covered by the EU legislation, you must consider appointing representatives within the European Union.
- It is the core responsibility of a company to report data breaches related to the private or sensitive information of the individuals. For this purpose, the company should inform, following the specific procedures, the people or data subjects whose data is at risk of exposure.
- This rule only applies to data controllers. Before sharing data with data processors, the data controller must create a contract with them.
3. NEW RIGHTS (Applies to Data Processors and Data Controller)
- Data subjects or the customers of data processors and data controllers should be free to request access to their personal information whenever they want.
- The customers of both organizations should be able to update their personal information and maintain accuracy and precision.
- It is the core right of the customers to ask for the relation of their information, especially their sensitive data, whenever they want.
- Customers should be free to ask you to stop processing their data.
- Organizations must focus on their customers' wishes regarding the sharing of their data with them or a third party.
- This rule only applies to data controllers. Customers should be able to easily object to profiling and automated decision making practices if they are directly impacting them negatively.
4. CONSENT (Applies to Data Controllers Only)
- The processing of all data should be based on the consent of the individual. If an individual has not provided permission for data processing, then it should not be processed.
- An organization’s privacy policy should be clear enough that every individual can understand the terms given in the policy.
- Even if a customer has provided consent to utilize their personal information, they have an undeniable right to withdraw consent.
- While utilizing children's personal information, it is mandatory to ask for consent from their legal guardians.
- While updating an organization's privacy policy, data controller's are responsible for informing existing customers.
5. FOLLOW UP (Applies to Data Controllers Only)
- Companies should regularly review policies for any amendments that directly impact the effectiveness of these policies. Moreover, companies should also adapt their policies to meet the requirements of other countries that they collaborate with.
6. SPECIAL CASES (Applies to Data Controllers and Data Processors)
- This rule only applies to data controllers. Businesses should have a deep understanding of when to proceed with DPIA for high-risk processing of sensitive data.
- This rule applies to data processors and data controllers. Without an appropriate level of protection, an organization must not send any data to the countries within the European Union.
7. USER RIGHTS (Applies to Data Subjects)
- Users have the right to receive transparent information, communication, and detailed modalities to exercise their rights.
- Users have the right to receive specific information related directly to personal and sensitive data. This applies to data collected from the individual directly.
- Even if the data is not collected from the individual directly, they still have the right to receive specific information regarding their data.
- An individual can see their data, which means that they should know how their information is being processed and how the data is being used. The individual can collect this kind of information from the controller.
- Another fundamental right of the individual is the right to rectification, in which they can ask for the accuracy and correction of inaccurate personal data.
- An individual not only has the right to restriction of processing, but they can also use their right to erase, which gives them the right to request immediate deletion of personal data.
- Another vital right for the data subject includes the right to be notified regarding the rectification, restriction of processing, or removal of personal information. For this purpose, the data subject can work with the controller organization on further processing of personal information, to include restriction of processing, removal, or rectification.
- An individual also has the right to object, which means that they can object on grounds relating to a specific situation anytime during the data processing. Individuals can notify an organization that they no longer want their information to be processed and they object to their information being used.
- Individuals also have the right to not be subject to data collection based on automated processing.
Organizations with at least 250 employees that face various high data processing issues and have visitors from the European Union must comply with GDPR to ensure the maximum security and safety of the data. Organizations that have less than 250 employees should also comply with GDPR when needed. It is fairly simple for organizations to comply with GDPR.
Whether an organization is large or small, while checking their compliance with GDPR requirements, it has to consider the purpose of processing, the type of data it wants to process, and the basic information of employees within the organization. Moreover, the organization must gather information about any third parties, their locations, and who will access the data within the organization. Furthermore, GDPR also covers information regarding what is being done during the data protection processes, such as encryption.