GDPR Compliance Checklist for 2020

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range of organizations across 14 different industries.

It came out from the report that only 1 out of 4 organizations have a single employee handling their data protection and privacy function. It’s a lot of work, even for an experienced professional.

In this article, you will have two checklists at your service. You can assess whether you have to comply with the GDPR in the first place and if you do, what is the level of preparedness of the GDPR compliance. 

We have also defined the most important terms you need to know and answered some of the most common questions business owners and privacy professionals have.

Checklist 1: Assess whether you have to comply with the GDPR

The following 6 questions will help you to assess if you are obliged to comply with the GDPR or not.

If all of your answers are YES, there is no doubt you need to comply. If most of your answers are NO but a few are YES, please consult with a legal specialist.

1. Does your company collect any personal data?
2. Do you handle regularly activities like monthly payroll, preparing and sending out invoices, sending out promotional emails, processing and collecting applications from job applicants, patient administration?
3. Is your company processing any kind of special type of data (such as data concerning health, generic or biometric data, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, data regarding a natural person’s sex life or sexual orientation)?
4. Is your company processing personal data relating to criminal convictions and offenses or related security measures?
5. Is the data processing likely to result in a risk to the rights and freedoms of data subjects (i.e. video surveillance, credit scoring and fraud prevention procedures, the location of employees)?

Missing or incomplete management of a list of all processing activities, or failure to submit the list upon request by the supervisory authority might be treated as a violation of data protection obligations.

More to read on this topic: Records of processing activities in GDPR Article 30

Checklist 2: Assess your preparedness for the GDPR compliance

Depending on the size of your organization or business it can be a hurdle to get properly prepared. Assess your current state by answering the following questions.

1. Do you need or have you appointed a Data Protection Officer?
2. Are you keeping records of your Data Processing Activities?
3. If asked, are you ready to present a report to your local Data Protection Authority?
4. Do you have a Privacy Policy document that you have communicated and made available to your customers and partners?
5. Do you have your customers requests managed regarding their privacy?
6. Have you created and mapped out your Data Processing Agreements?
7. Do you have a system in place to manage and report Data Breaches to your local Data Protection Agency?
8. Do you request consent from parents if you collect the data of children?

To start, create your GDPR Register account and follow the workflow: click here to sign up.

12 Top frequently asked questions about the GDPR

1. What should I do in case of a Data Breach?
   

In case of a Data Breach, you need to inform the supervisory authority within 72 hours from when the breach was found.

The notification has to consist of information what was stolen or lost, how the data was protected (ex. pseudonymization), how the breach may affect the persons and whose data it was (Data Subjects in GDPR language).

When the breach is severe, and it may affect persons with a high degree, then the company needs to inform the possibly affected persons as well.

More to read on this topic: Personal Data Breach Notification Requirements Under the GDPR

2. I am a non-EU company, what are my GDPR related obligations?
   

All organizations that process personal data of EU citizens must comply with the GDPR, even when not operating in EU soil.

Organizations operating outside the European Union, but employing EU citizens, must comply with the GDPR requirements. This means that the EU citizens can exercise their rights according to the GDPR, even if the company does not conduct any business within the EU.

3. If I do not charge for my services and products, do I have to comply with the GDPR?

All companies processing personal data must comply with the GDPR, regardless whether payment is charged or not.

4. If I process data manually, do I have to comply with the GDPR?

Article 4 (6) of the GDPR sets the definition for a “filing system”. If the personal data that the company processes manually is in a structured form and the processing is conducted in a database, then yes GDPR does apply. If the processing is one-off and the company does not use a database, then GDPR might not apply.

5. What are the penalties for non-compliance?

The GDPR has introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed. Companies not having their records in order or failing to report any breaches to the authorities can be fined a maximum of 2% of their annual global turnover. The maximum fine that a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.

More to read on this topic: What are the GDPR fines for non-compliance?

6. What is a Data Protection Impact Assessment (DPIA)?

If the data processing and the collected data may result in a high risk of the rights and freedom of natural persons, companies need to evaluate how their processing model may affect natural persons and how to protect these processes from external threats.

7. When do I need consent for processing Personal Data?

If you are carrying out certain activities involving personal data (e.g. online marketing), you have to request consent from the person.

According to the GDPR, consent must be freely given, explicit and have an opt-in.

The request for consent must be clear and plain language, intelligible and easily accessible. It has to be separate from all other text, it needs to be clear, freely given and specific, so that the person would know, to what they are giving it.

IMPORTANT TO KNOW: Pre-ticked boxes, silence or inactivity is not considered as consent by GDPR; therefore, companies need to ask direct and formal consent.

8. What happens if Data Subjects withdraw their consent?

According to the GDPR, the data subject can withdraw their consent at any time. However, withdrawing the consent applies only to the future processing of personal data, not to data that has already been processed. If the obtained consent does not fulfill the requirements of the GDPR, the consent must be re-obtained.

9. What are the rights of Data Subjects according to the GDPR?

•   Data subjects should be able to exercise their right to correct and update their own data.
•   Data subjects should have easy access to their own data.
•   Upon request, data subjects can have their data deleted.
•   Data subjects have a right to oppose the processing of their data.
•   Data subjects should be able to receive their data in an easily understandable form.
•   If your company makes automated decisions based on an individual’s data, there should be a procedure in place to protect the data subject’s rights.

10. What does “Right to be forgotten” mean?

Persons have the right to demand companies to delete personal data about them (this is called “right to be forgotten” in GDPR terms).

Companies must comply with the demand of the person and delete (or anonymize) their data. For example: if the person withdraws their consent, collecting, and processing of personal data is no longer necessary (excluding the case of the contract ended).

The data has to be erased without undue delay (maximum 30 days normally). In some cases, (e.g. due to complying with another law or a legal obligation), right to be forgotten does not apply.

11. What does “Right to be informed” mean?

The individual has the right to be informed about how and why their personal data is being processed. Grounds for processing is usually explained when asking for consent from the individual.

An individual has a right to be informed after giving the consent as well, meaning that the company should be able to provide the individual with concise, intelligible, easily accessible, free of charge and clearly written information about the processing.

12. What does “Right to data probability” mean?

Right to Data portability for a person means the possibility to obtain his personal Data from one service provider and reuse it at another for his own purposes in an easy and safe way.

It allows to get data from one IT environment in structured, commonly used and machine-readable format and put that into another without affecting its usability (if technically possible).

7 GDPR key terms you need to know

If you are operating in the EU or have European customers, you need to understand the GDPR and the key terms.

• • Data Subject – any person whose personal data is being collected, held or processed.
  • Personal Data – Any information related to a person (Data Subject in GDPR language) that can be used to directly or indirectly identify the person qualifies as personal data. It can be anything related to the person: a name, a phone number, an e-mail address, a photo or a video, an address or location, a number of the bank account, a register plate of one’s car, social media account, etc.
  • Data Controller – the natural, legal person or public authority which determines the purpose, conditions, and method of data processing, alone or together with other actors. 
  • Data Processor – processes personal data only on behalf of the controller, meaning all processing activities happen under the controller’s consent. Data processor is usually a third party external from the main company (for example a cloud service provider). In case of an undertaking or a subsidiary, one subsidiary can act as a processor for another subsidiary.
  • Processing – involves any operation performed on personal data, whether or not by automated means.
  • Records of processing activities – must be maintained that include purposes of the processing, categories involved and envisaged time limits. The records must be made available to the supervisory authority on request (Article 30).
  • Data Protection Officer (DPO) – companies and organizations are obliged to appoint a Data Protection Officer (DPO) if the company is a public authority, carries out personal data processing on a large scale, regularly and systematically, and engages in large scale processing of sensitive personal data. The DPO has generally two main tasks:
    • to monitor the GDPR compliance operations within the organization,
    • interact with the supervisory authority and the data subjects whose data is being processed.

Sources:

Wikipedia
EU GDPR.ORG
GDPR Register