Data protection authorities have been cracking down on GDPR breaches, and experts are not exempt from regulators’ gaze.
A simple GDPR compliance checklist will get you on the right side of the law. And in this article, we will walk you through some of the most critical aspects of the regulation that will get you started on the road to compliance. Let’s discuss.
GDPR Compliance Checklist Basics
The goal of the regulation is to create an organizational environment of privacy by design and default. As a community, we have a long road ahead of us to get to that stage, but regulations like these remind us of the importance of protecting our people and customers’ privacy.
For subject matter experts (SMEs), it can be quite challenging to juggle the requirements of regulations and daily business activities. So we have made a simple checklist to remind you of the basics of the law.
This way, you can begin your road to compliance and expend the least amount of resources required.
Most organizations will be familiar, by now, with the changing data protection regulatory landscape. But for of the new players out there, here are the key takeaways of the GDPR:
- Understand if you are a data controller or a data processor
- Understand your information system and where susceptible data is kept (data flow mapping)
- DPO’s, DPIA, and DSARs
- Technical safeguards
Keep this in mind as a mental checklist for GDPR compliance, and if you are unsure about anything regarding the regulations, contact our specialists today.
Finally, compliance does not have to be an uphill battle. With the right mindset, there are massive benefits to complying. After all, the goal is to create an ecosystem that promotes the individual’s privacy, and remembering this is a great way to create the right mindset.
The GDPR Fundamentals: Rights and Freedoms of the Natural Persons
If you are looking for a barometer to check whether your organization is breaching the regulation, look no further than the natural persons’ rights and freedoms. The first part of the code lays out what is considered natural persons in the law’s eyes and their rights and freedoms as an EU data subject.
Ensure that you are familiar with the rights and freedoms of the natural person. Violating them will incur heavy penalties.
You can think of these as the spirit of the law, as most of the articles within the regulation work to protect these rights and freedoms.
Understand If You Are a Data Controller or a Data Processor
The GDPR does make a point to understand the complexity of the data ecosystem. In a world where data-driven businesses are the norm, third-party networks can become very complex.
The regulation distinguishes two different parties: Data Controllers (DC) and Data Processors (DP).
What is a Data Controller?
In most circumstances, an SME is unlikely to be a data controller, but these are the conditions that would make your organization a data controller.
The data controller is responsible for the legal collection of PII and the legal distribution of PII to the data processor. They are the primary entity that holds PII. They must obtain the data fairly– i.e. with explicit consent from the data subject.
The data controller is also responsible for the management of the data processor. So, they must ensure that all processors employ technical safeguards and are complying with all legal requirements.
The regulation is a bit more stringent on the responsibilities of a data controller, especially when it comes to third-party networks.
What is a Data Processor?
If a data controller’s conditions do not fit your organization, you will be classified as a data processor. Data processors make up most organizations that use PII, as being a data controller can be very resource-intensive.
You will usually see big tech corporations, like Google or Facebook, classified as data controllers (they are so large that they end up fulfilling both roles).
SME’s for that reason would most likely be classified as data processors. These entities will have varied responsibilities depending on the industry, but with the GDPR, they must:
- Acquire legally collected data from a data controller.
- They are still responsible for the technical safeguard of sensitive data.
- They must obtain permission from the data controller for any third-party use of data.
- Must appoint a DPO (if required, more on that later).
The data processor essentially acts as an agent of the data controller. Their primary roles are to process PII so that customers can engage with their services or products.
There is not much difference in legal responsibilities for either the data controller or the data processor. But the data controller does have the extra work of managing all processors that use their collected data.
Information Management and Data Flow Mapping
The risk management element of the GDPR comes in the form of correct information management. The idea is if an organization manages the flow of information properly (legally), the risk of breaches is mitigated.
Of course, this is not foolproof, and the regulation recognizes this, but it does form the backbone of a security framework. Even with the best encryption and technical safeguards, lackluster information management will eventually lead to breaches down the line. As the cyber community will often say, “it’s not if but when.”
This is why preparedness is the key when it comes to battling cyberattacks.
The GDPRs version of information management comes in the form of data flow mapping, and maintaining strict control over your information system is vital to GDPR compliance.
Data Flow Map
The data flow map is designed in a way that any organization, regardless of resources, can employ. Although software solutions simplify the process, they can be expensive and are not necessary for compliance.
The general principle of a data flow map is to show the lifecycle of personal data within the organization, forming its collection to its deletion. And it will have to be deleted eventually by the law.
Data flow mapping basics:
- Documentation that shows the flows of data within the org
- Used to identify the collection, storage, and processing of PII
- Will be required in the event of a data breach so that supervisory authorities can understand the potential cause
- Identify the technical and organizational safeguards that will be applied during collection, storage, and processing
Ultimately, the data flow map will help in the information management process and meet the governance requirements laid out by the law.
Have a DPIA ready for New Projects
Data Protection Impact Assessments (DPIA) are an essential aspect of the GDPR compliance checklist, and your organization should have some templates ready when undertaking new projects.
Projects would be any new products, services, internal processes, and new technologies that store, collect, and process PII.
There are many resources out there on DPIAs and how to conduct a DPIA, including here on our blog. But as a reminder, a DPIA is used to assess the risk new projects might have on the natural persons’ rights and freedoms.
The quick step-guide to conducting a DPIA:
- Assess the need for a DPIA; if there is no PII involved, then a DPIA will be unnecessary
- Use a data flow map to map out the new information lifecycle
- Determine the privacy risks to the data at the point of collection, storage, and processing
- Brainstorm methods to mitigate the privacy risks at each stage
- Apply mitigation methods
- Have the new project signed off by relevant authorities
- Document the new process and integrate them into the project operation
- Lessons learned and feedback
Once you have the steps down, your organization can create a documentation template to streamline all departments’ processes.
Do you need a DPO?
The next step on the GDPR compliance checklist is to assess whether your organization will require a Data Protection Officer (DPO). It is a common misconception that SMEs do not require a DPO. While it is true that larger organizations chose to hire a DPO as part of their compliance strategy, it is not dependent on the size of the organization but rather the kind of PII the company processes and at what scale.
If Your organization satisfies one of these conditions:
- Is a public body
- The nature of data processing requires regular, systematic monitoring
- Processing large-scale special categories of data
Then, a DPO will be required by law. Disregarding the first condition, it is entirely conceivable that an SME can process PII at a large and systematic scale. If your data processing involves yourself and no automated system while also being manageable by a small team, then you will not require a DPO. But the GDPR does stipulate a special category of PII if processing at a large scale will require your organization to hire a DPO to monitor the data privacy implications.
What are special categories?
Special categories are any kind of PII that reveal:
- The ethnic origin of the data subject
- The political opinions of the data subject
- The religious or philosophical beliefs of the data subject
- Genetic data
- Biometric data
Any large scale processing of this kind of data will mean that your organization will require a DPO’s assistance.
The final step in the GDPR compliance checklist is to ensure your organization has a Data Subject Access Request (DSAR) solution ready.
A DSAR is an article within the regulation that affords the data subject the right to access any PII you store on them. As part of the DSAR mentioned within the rights and freedoms, the data subject has the “right to be forgotten.” This means you must delete any personal data you hold on them if they request that you do so.
And as part of this right, they can request access to the data. Completing all the previous steps of this checklist will make this process much smoother if you ever find yourself at the end of a DSAR.
You will have a grace period of 30 days to get the data to the data subject; failure to do so could land you in troubled waters with the local Data Protection Authority (DPA).
The easiest way to solve this problem is to set up an automated system that can deal with the incoming requests while verifying that the claims are coming from a genuine customer/data subject.
When it comes to GDPR compliance, one of the most important aspects is to have the right mindset. Creating an organizational privacy mindset means you will be carrying out the spirit of the law and developing a culture of privacy by design and default.
But as a community, we are still some time away from integrating these principles into the business environment. Until then, you can refer to this simple GDPR compliance checklist to keep you on the right track.
But if you would like advice on compliance, RSI Security is here for you. If you are finding yourself stuck with your compliance strategy, contact us today and book a free consultation.