As a controller, you have a legal duty to comply with the GDPR – as defined in GDPR article 4 sub (7). This includes the associated responsibilities and the liability ’to meet the requirements of the GDPR and ensure the protection of the rights of the data subject’. So, how are your preparations to be GDPR compliant coming along? Use this GDPR checklist to confirm that your preparation is complete or, alternatively, to see what you still need to do before you can welcome the inspector from the supervisory authority with a smile on your face.
1. You know your data.
The first point, and perhaps the most important, on the GDPR checklist. You have analyzed and documented all of the personal data that your organization processes. You have:
- Assessed and documented the sources of personal data sent to your company (also to comply with GDPR art 14 sub 2 (f));
- Recorded the types of personal data you receive;
- Recorded where you keep the data you collect at each entry point (website, shop, e-mail, etc.), including back-ups, shadow databases, copies on employees’ laptops and so on;
- Noted who has (or could have) access to the personal data collected and the reason they need access.
2. You know the rules.
You have checked all privacy laws, regulations, and standards that affect your organization at a local and national level as well as the international level. You have:
- You have noted the relevant GDPR articles for each type of data;
- You have taken notice of additional laws, e.g. reconciling the GDPR with the right to expression and information, including exceptions for journalistic purposes;
- You are aware of national laws regarding taxes and archiving (etc.) which may influence the form in which data must be kept and for how long.
3. You have a record of processing operations.
- For each set of data you have a (at least one) lawful ground for processing (see article 6 ). If you find personal data in your possession of which you don’t know why you have it, you destroy it (because storing, e.g. processing personal data without a legitimate purpose is illegal and can lead to huge fines).
- You do not gather more personal data than what is necessary in relation to the purposes of the processing (data minimization);
- You adhere to the GDPR principle of purpose limitation; you document the purpose you have communicated with the data subject, and you don’t use the personal data for other, unrelated processing.
We’re now halfway through the GDPR checklist. How are you doing? Good so far? Great, let’s continue.
4. You are supporting the execution of data subject’s rights
Your company has developed efficient processes to support the rights of the data subject as defined in Chapter 3 of the GDPR (art. 12 -23). You are aware that you, as the controller, are obliged to facilitate the exercising rights of data subjects and to respond to requests (…) within one month’ (see GDPR rec. 59).
- In accordance with article 13 and/or article 14 you send transparent information about the intended processing, on time and ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’.
- At the request of the data subject, you send confirmation whether you are processing his or her personal data. If that is the case you:
- give the data subject access to his/her data;
- provide information regarding the purpose of the processing, such as the (categories of) recipients the data is (or will be) shared with, for how long they will be stored, etc.;
- At the request of the data subject, you correct and complete his/her incorrect personal data (right to rectification);
- At the request of the data subject, you erase his/her personal data when one or more of the grounds in article 17 sub (1) applies (right to erasure);
- At the request of the data subject, you restrict the processing of his or her personal data when one or more of the grounds in article 18 sub (1) applies (right to the restriction of processing);
- At the request of the data subject, and if the processing is based on consent or on a contract, you send the personal data you have on him/her to the data subject (or to another controller of the data subject’s choice) in a structured, machine readable form (right to data portability);
- At the request of the data subject, you prevent his/her personal data being used for profiling and direct marketing.
5. You have an awareness campaign
You are aware that in data security the human factor is often the weakest link. Employees need to be trained to be aware of the value of data. You have a privacy awareness program in place to train and retrain employees. You make sure that everyone in your organization knows the processes to guard data and that they also know the methods hackers use to break in, either to show they can or because your data is valuable to them too.
6. You are demonstrating compliance
You – as a controller – are aware of the obligation to, at all times, be able to demonstrate your organization’s compliance with the GDPR. You have the correct administration for each data subject and each data set which shows:
- The legal purpose for processing
- If that legal purpose is ‘consent’, some proof of the consent given and details of the processing operation consent was given for. You also record when consent is withdrawn (and at which date).
- In case processing might result in a high risk to a data subject, the results of a DPIA and reasons for mitigating measures you have taken (or not taken).
GDPR Checklist at the ready! Are you prepared?
If you’ve been able to tick all of the boxes on the GDPR checklist, you are finished with your preparations to comply with the GDPR. And if not, you now know what you have to do!
This article has been written by guest author Leo Besemer.