GDPR makes sure that every EU user of any online services - whether their Twitter accounts, eBay, Paypal, shipping information or more comprehensive cloud computing package – is able to control their data. The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. This policy directive was adopted in May 2016 to make Europe fit for the digital age.
The GDPR brings a lot of extra work for organizations that are considered to process Personal Data. For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
Understand What is Personal Data
GDPR is all about the personal data and you should understand what is considered as “personal data” under new regulations and what kind of those that you deal with. Chances are that you do collect personal data, even if you are collecting the names and telephone numbers of your customers, you do collect personal data. Also, know how do you collect that data, how do you use them and how do you store them.
“Personal Data” (PD) means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Regulation.
Check if the people in your database have given consent (from EU)
GDPR states that all personal data collected requires proof of consent. “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Direct consent is given for example if you have consent from your customers to collect their personal data for business operations purposes, you cannot send them marketing materials with the same consent.
Perform a Data Protection Impact Assessment (DPIA)
By performing a DPIA under the GDPR helps an organization to identify, assess and mitigate or minimize privacy risks with data processing activities. They are particularly relevant when a new data processing process, system or technology is being introduced. The DPIA Register is a spreadsheet (for example Excel template) that keeps track of all the data breaches that have happened and how they were dealt with.
Are you looking for this DPIA Register or also known as a Personal data security breach log? Download this DPIA Register now!
Prepare for Access Requests
Under the GDPR, all citizens will have the right to have insight and access to their personal data. Also to rectify inaccurate data or object to their data being processed or even completely erase any of their personal data you hold. You must be able to process such requests within a prescribed period of time.
Create a “Request to Access Personal Data” Button or Page on your Website
Under GDPR, all EU residents will have “Access-request” right over the companies and organizations that collect their personal data. Using that right, they will be able to access their personal data that was collected about them. Having a clear Request solution as well as privacy and data protection policy page on your website will make it easier for you to handle those requests.
Are you looking for a Data Subject Consent Form? The Data Subject Consent Form should be provided in writing to the Data Processor, according to the directive.
Explain the changes in the law to your Employees
Make sure your employees are aware of the changes in the law. Send them a brief memo with topics that are relevant to know. Explain possible responsibilities for employees that came with the introduction of the new GDPR directive regarding compliance. They should be able to notify responsible persons in your organizations in case of data breaches or other violations.
Check if Your Suppliers are GDPR-ready
Contact your suppliers in time to make sure that the suppliers take action to prevent data breaches and other violations. They need to review their policies and contracts to ensure that you will not have any sanctions caused by third-parties and your suppliers.
Do I need to appoint a GDPR DPO (Data Protection Officer)?
The GDPR is choosing consumer trust ahead of the business’s interests. From a legal perspective, that fosters the objective that the GDPR creates an accountability and transparency demand (specifically to the consent of the Data Subjects), it appears that to be compliant you need to appoint a DPO. However, when carefully reading the GDPR directive, you can conclude it’s not specified when a DPO should be appointed. A soon to be Supervisory Authority will provide us with this answer. This will depend on the data intensity of your company.
Article 37 of GDPR document states that companies and organizations need to appoint a Designated Data Protection Officer (DPO) when these conditions are met,
(a) The data processing is carried out by a public authority or body. Or
(b) The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”
You might consider appointing a DPO, just to be sure, but no need to hire one.
Is your organization already GDPR proof? Are you already recruiting a Data Protection Officer (DPO)? Download this Data Protection Officer Job Description now!
Free GDPR Compliance Preparation Gantt Chart template:
If you wish to start your journey to become GDPR Compliant today, then you also should check out this