Achieving GDPR Compliance shouldn’t feel like a struggle. Here is a basic checklist you can use to make sure you are GDPR compliant.
If your organization is determining the purpose of the storage or processing of personal information, it is considered a controller. If your organization stores or processes personal data on behalf of another organization, it is considered a processor. It is possible for your organization to have both roles.
This list is not legal advice, it merely tries to help you overcome the confusion.
[/vc_column_text][vc_column_text css=”.vc_custom_1527271993547{margin-top: 20px !important;margin-bottom: 20px !important;}”]YOUR DATA
[/vc_column_text][vc_toggle title=”Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it. ” style=”arrow” el_id=”1527263937707-47e69190-aaa1″ el_class=”gdpr”] Data Processor | Data Controller This is a list of the actual types (columns) of information being held (eg Name, social security nr, address,..). For each type, a source should be documented, the parties this information is shared with, the purpose of the information and the duration for which the company will keep this information. Read more: [/vc_toggle][vc_toggle title=”Your company has a list of places where it keeps personal information and the ways data flows between them.” style=”arrow” el_id=”1527265526978-d1e3e221-cba8″ el_class=”gdpr”] Data Processor | Data Controller- This could be a list of databases (eg Mysql), but it could also include offline datastores (paper).Read more:
- You should include information about all processes related to the handling of personal information. This document should include (or have links to) the types of personal information the company holds, and where it holds them.Read more:
ACCOUNTABILITY & MANAGEMENT
[/vc_column_text][vc_toggle title=”Your company has appointed a Data Protection Officer (DPO)” style=”arrow” el_id=”1527265758858-7e1a8e27-9b85″ el_class=”gdpr”] Data Processor | Data Controller- This person should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information. Read more:
- Make sure key people and decision makers have up-to-date knowledge about the data protection legislation. Read more:
- For SaaS software companies, use the SaaS CTO security checklist as a starting point below.Read more:
- Personal data breaches should be reported within 72 hours to the local authority. You should report what data has been lost, what the consequences are and what countermeasures you have taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.Read more:
- The contract should contain explicit instructions for the storage or processing of data by the processor. For example, this could include a contract with your hosting provider.Read more:
NEW RIGHTS
[/vc_column_text][vc_toggle title=”Your customers can easily request access to their personal information.” style=”arrow” el_id=”1527266312754-1025c937-caf4″ el_class=”gdpr”] Data Processor | Data Controller- If you do not already have a process defined for this, you should make it available. Read more:
- If you do not already have a process defined for this, you should make sure you do. Read more:
- You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed. Read more:
- If you do not already have a process defined for this, you should make sure to do that. Read more:
- If you do not already have a process defined for this, you should make sure to do that. Read more:
- If you do not already have a process defined for this, you should make sure to do that. Read more:
- This is only applicable if your company does profiling or any other automated decision making. Read more:
CONSENT
[/vc_column_text][vc_toggle title=”Ask consent when you start processing a person’s information.” style=”arrow” el_id=”1527267031168-40b4da64-2c20″ el_class=”gdpr”]Data Controller- If your website collects personal information in some way, you should have an easily visble link to your privacy policy and confirm that the user accepts your terms and conditions.Read more:
- It should be written in clear and simple terms and not conceal it’s intent in any way. Failing to do so could void the agreement entirely. When providing services to children, the privacy policy should be easy enough for them to understand.s and conditions.Read more:
- If you do not already have a process defined for this, you will want to have this available. Read more:
- For children younger than 16, you need to make sure a legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the legal guardian (and not by the child). Read more:
- For example, by emailing upcoming changes of your privacy policy. Your communication should explain in a simple way what has changed. Read more:
FOLLOW-UP
[/vc_column_text][vc_toggle title=”You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.” style=”arrow” el_id=”1527267434577-b15771d6-c301″ el_class=”gdpr”]Data Controller- You should follow up on best practices and changes to the policies in your local environment. Read more:
SPECIAL CASES
[/vc_column_text][vc_toggle title=”You should only transfer data outside of the EU to countries that offer an appropriate level of protection” style=”arrow” el_id=”1527266992485-b5b5995a-ec44″ el_class=”gdpr”]Data Controller- You should also disclose these cross-border data flows in your privacy policy. Read more:
- This only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases. Read more:
Disclaimer
The information above is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.
[/vc_column_text][/vc_column][/vc_row]