What is GDPR Compliance Checklist

The General Data Protection Regulation (GDPR) will be introduced into EU Privacy law on 25 May 2018. GDPR affects not just companies in the EU but also a wide range of other companies around the world that work with or sell to EU companies. The changes being introduced by GDPR affect a wide array of functions within many organizations. Here's a GDPR compliance checklist that'll help you be prepared.

For every subsection of this GDPR checklist, we'll dive into the articles of the GDPR guidelines that it covers and a list of things you should take care of as part of the process.

The GDPR Compliance Checklist:

1) Governance

One of the first things that we need to dive into as part of this GDPR checklist is to ensure that as an organization you place data governance at the center of anything you do. Compliance has to be a serious focus for companies. Internally within the organization, it is important to create and increase awareness of data privacy issues and create a mindset where every employee feels responsible. The key thing here is to be proactive rather than reactive.

Good read- Cybersecurity Compliances and Regulations in India

Actions Description Applicable Articles of GDPR
Record keeping Maintain records of the controller and Data Protection Officer (if applicable). Maintain categories of data and logs of transfers. Wherever possible add descriptions of possible measures taken to ensure security. Article 30
Data Protection Officer (DPO) Establish whether the company is required to have a DPO. If the company is not required to have a DPO, you may appoint a voluntary DPO.
DPO contact details must be notified to the regulatory authority and published to the public.
Article 37
Employee Training Employees who handle the personal data of either customers or other employees must be trained to handle it according to GDPR principles. Article 5
Policies and Procedures There is a list that covers different policies and procedures. There is no fixed way to handle this but it should be done according to what is applicable to your business. Some of the items on the list are:
  • General Data Protection Policy
  • Data Subject Access Rights Procedure
  • Data Retention Policy
  • Data Breach Escalation and Checklist
  • Employee Privacy Policy and Notice
  • Processing customer data policy
  • Guidance on privacy notices
Article 5

2) Privacy Notices

Privacy notices play a crucial role in meeting GDPR requirements by highlighting the transparency that is required. They should be clear, concise, and informative to ensure that employees and customers are aware of all data processing activities. Adhering to the guidelines outlined in Articles 14 and 15 of GDPR is essential for all organizations, especially those that operate online websites.

Actions Description Applicable Articles of GDPR
Issue notices at the right time Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month Articles 12-14
Be complete and concise Notices must be complete and provide all the required information, like the identity of the controller, purpose of processing, duration, consent, right to withdraw consent, etc. Articles 12-14
Easy to understand and comprehend The format of the notice should be easy to read, handle and understand Articles 12-14

3) Fair Processing

The Fair Processing category means that in order to lawfully process personal data, the conditions of processing must be met. This category is pretty much similar to what the processing rules were in the current Data Privacy Directive except for a few new requirements.

Actions Description Applicable Articles of GDPR
Establish a legal basis for processing all the personal data that you hold As a business, you need to be able to provide evidence that you have a legal basis to own and process the personal data that you hold. Consent from the data subject, the legal obligation of the controller, and special care where data is that of a child are necessary. Articles 5, 6, 7, 9, 10, 85 to 91
Profiling A few questions to answer here:
- Does your company carry out profiling on employees or customers?
- If so, does this profiling result in making a decision about the individual which would have a significant legal effect or similar on that individual e.g. refusal of credit or refusal for an interview?
- If the answer to (b) is yes, does your Company have the consent of the individuals to this profiling?
Articles 5, 6, 7, 9, 10, 85 to 91
Children If your business processes the personal data of children, then consider the language used for privacy notices and plan out how to obtain valid consent from parents/guardians.  Articles 5, 6, 7, 9, 10, 85 to 91

4) Data Subject Rights

Current data subject rights require you to request access to data when you need it, rectify it or delete it. Under GDPR, it's not just the right to access data but also provides it in a machine-readable format, also called data portability.

Actions Description Applicable Articles of GDPR
Data subject access right As a company, are your employees or customers allowed to get access to their personal data processed by your company?
Do you have employees that have been trained to respond to such requests within the stipulated timeframe of 1 month?
Article 15
Processed to allow subjects to exercise their rights This basically understands if as a company you have the technology and processes in place to allow data subjects to exercise their rights like the right to erasure, data portability, restriction of processing, and right to object. Articles 16-21

 

gdpr checklist

 

5) Privacy by Design and Default

One of the major objectives of GDPR is to bring privacy consideration to the forefront of every organization. The GDPR requires data protection requirements to be considered when new technologies are designed or on-boarded or new projects using data are being considered. You should ensure that you perform an assessment to understand the impact on privacy as you onboard new projects.

Actions Description Applicable Articles of GDPR
Privacy by design The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures in an effective manner. The controller is responsible to integrate the necessary safeguards into the processing in order to meet the requirements of this regulation and protect the rights of data subjects Article 25
Privacy by default The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. Article 25

6) International Data Export

Under the International Data Export rule of the GDPR, companies are permitted to export data within their group and third-party vendors outside the European Economic Area (EEA) if the country in which the recipient of such data is established offers an adequate level of protection.

Actions Description Applicable Articles of GDPR
Group companies or third-party vendors If you use group companies or third-party vendors to process data, there must be a written contract with each one of them validating that they meet the expectations set out in Article 28. Article 28
Transferring data out of EEA If you are exporting data outside of EEA, you need to follow an approved transfer mechanism, which includes one of the following:
(a) a country that has a finding of adequacy from the European Commission(b) If it is within The Company group, are binding corporate rules in place? (c) Standard contractual clauses as approved by the European Commission(d) If the transfer is to the US, on the basis of the Privacy Shield.

(e) With the consent of the data subject.

(f) The transfer is necessary to carry out a contract with the data subject

(g) The transfer is in the public interest

(h) The transfer is necessary to establish, exercise, or defend legal rights

(i) The transfer is necessary to protect the vital interests of a person where the data subject is physically or legally incapable of giving consent.

Articles 44-49

7) Security

Actions Description Applicable Articles of GDPR
Appropriate security measures for personal data Security has to be appropriate to the likely risks to individuals if data was lost, stolen, or disclosed to unauthorized people.
It is important to note here that security covers both organizational as well as technical measures. Some factors to consider are:
• Pseudonymisation
• Encryption
• Ensuring ongoing integrity, confidentiality, availability, and resiliency
• The ability to restore in a timely manner
• Processes for testing security
Article 32

8) Data Breach Procedures

As part of the new GDPR data protection compliance checklist is a data breach notification rule. The process requires organizations to act quickly, mitigate losses and, where mandatory notification thresholds are met, notify regulators and affected data subjects.

Actions Description Applicable Articles of GDPR
Mandatory notification Do you have the necessary procedures in place to report a breach within 72 hours of becoming aware of it?

The breach has to be investigated and details provided to the regulator and mitigations have to be taken to address it.

Article 33
Notification to affected individuals If the breach is likely to result in a high risk to the rights and freedoms of individuals, the company will need to notify the individuals affected. Only if the data is encrypted or otherwise unintelligible, then individuals will not need to be notified. Article 34

 

4 Major Aspects of GDPR

For a developer building apps under the jurisdiction of the EU, it becomes necessary to understand how and where the requirements of GDPR are applicable. Moreover, a developer should also be aware of the functionalities and features to be introduced into the existing systems to ensure GDPR compliance. The 4 major aspects of GDPR are as follows:

1. Flow of Data

Data flow is how the data is mapped to be transmitted across the organization. GDPR requires businesses to provide a thorough history of where and how the data is collected from users and in the organization, how the data is processed, and who all can access that data and from where.

2. Consent from Users

GDPR requires developers to introduce some features in their applications that explicitly ask the users for their permission in order to collect and process their sensitive information. The organizations are also required to let the users know the amount of information that has been collected from them and also the manner in which the information is used.

3. Right to Access Information

GDPR solely focuses on empowering users to protect their own privacy. The users of any mobile app can ask for any information related to the data generated by them. The app owners are obliged to grant access to that data to the user within 30 days of the request. Developers must plan such incidences in advance as to how they are going to report such data to the users.

4. Right to Ask for Data Deletion

In the 2018 version of the GDPR, users have been granted the right to ask the app developers to delete any personally identifiable information or data about them. Such a demand, however, can become challenging for app developers. E-commerce apps and similar businesses generally require user data for auditing purposes and such a request for data deletion can become tricky for them. Anyhow, in order to comply with the regulations of GDPR, they are required to do so or find some other legal way out.

Conclusion

GDPR is one of the most prominent regulations when it comes to the privacy of users and information security. The rules of GDPR compliance have been formulated keeping in mind the interests of both businesses and users, but most importantly the interests of security in the age of modern digital technology. It must be a priority to understand the gravity of data security and put measures in place.

With GDPR compliance, you not only get to showcase the value you give to user privacy but also add great value to your overall business. This regulation has all the required capabilities to boost the confidence of your customers in your product and give a boost to your business.

Published on Jan 12, 2018
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is the co-founder and CEO of Appknox, a mobile security suite that helps enterprises automate mobile security. Over the last decade, Harshit has worked with 500+ businesses ranging from top financial institutions to Fortune 100 companies, helping them enhance their security measures.
Beyond the tech world, Harshit loves adventure. When he's not busy making sure the digital realm is safe, he's out trekking and exploring new destinations.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now