How to Survive the GDPR: Extremely Practical Compliance Checklist
In our previous article devoted to the GDPR we took a step back and talked about the regulation in general: we discussed who is affected by it and how much an infringement costs.
We promised to tell you how to keep doing your business without getting slapped with sanctions. We always fulfill our promises. Follow the extremely practical compliance checklist prepared by our experts!
For convenience the checklist is divided into 5 parts:
- Data analysis
- Data management
- Public documentation
- Data security
1. Data Analysis
1.1. Establish where you store the client data.
- Google Sheets.
- Financial reports.
1.2. Understand how the client data is organized.
Use Google Sheets or any other instrument to sort it out according to the category. Mention all the places where you store the data.
1.3. Check if there is any personal data in your data collection.
- Telephone number.
- User ID.
- Other information that relates to an identified or identifiable person.
1.4. Define the purposes of personal data collection.
- Email marketing.
- Targeted advertising.
- Service improvement.
1.5. Minimize the data collection for each purpose.
- Check if you collect any irrelevant or excessive data for specific purposes.
- Delete excessive data.
- Revise your forms of subscription and registration and make sure that in the future you will collect and retain only the minimum amount of information.
1.6. Identify the personal data sources.
- Google Analytics.
- Contact form.
- Mobile app.
1.7. Select the lawful basis for each purpose of personal data processing.
- Data is processed to fulfill contractual obligations with the client.
- Data is processed to ensure the vital interests of the person.
- Data is processed in the public interest.
- Data is processed to comply with legal obligations.
- Data is processed in the legitimate interests of the company.
- Data is processed with the consent of the user.
1.8. Check whether you collect any personal data without a lawful basis.
- If you do – hire lawyers and bring your data processing into compliance.
- If you do but it is impossible to find a lawful basis – delete the data and think through how your business processes can be modified to avoid the collecting of excessive data in the future.
1.9. Set retention periods for personal data collected.
- Retention period for financial reports: X years.
- Retention period for commercial activity: Y years.
1.10. Delete all the data with an expired retention period.
1.11. Prepare an internal instruction on timely data deletion.
- Set up an automatic deletion or anonymization of data with an expired retention period.
- Appoint an employee who will be responsible for data with an expired retention period being deleted or anonymized.
- Indicate all the purposes for which cookies are used.
2.3. Add links to the documents to the checkbox.
- Terms of Service.
2.4. Obtain separate consent for each specific purpose of data processing.
- I agree to receive news via SMS.
- I agree to receive information about discounts and special offers via email.
2.5. Obtain new consent for a purpose that was modified.
- Check that this process is formalized and there is an operational procedure.
2.6. Check that there is no pre-ticked boxes or any other type of default consent.
2.7. Specify that user has the right to withdraw his consent for the data processing at any time.
- Explain how to do it and add a link to the withdrawal consent form.
2.8. Document all the cases when consent was given or withdrawn.
- Who and when consented: create a dated document with a name or any other identifier of the user consented.
- What terms of consent were at the time: specify in the document the exact wording of the consent request used. Add the copies of documents that were valid at the time.
3. Data Management
3.1. Add to a user profile the option “Delete account”.
- Make sure that personal data is deleted completely without soft deletes.
3.2. Add to a user profile the option “Change or withdraw consent for the data processing”.
- Make sure that users can permit, restrict and prohibit the processing of their personal data in relation to any specific purpose.
- Make sure that when this option is activated the data processing for the user-selected purpose stops immediately.
- Make sure that user data is deleted permanently if it is not used for other purposes approved by the user.
3.3. Add to a user profile the option “Export personal data”.
- Make sure that activation of the “Export personal data” option really exports all available personal data of a user.
4. Public Documentation
- Specify the types of personal data which you collect.
- Specify the purposes of data processing.
- Specify how data security is ensured.
- Specify the data retention periods.
- Specify the rights of a user.
- Specify which third-party companies have been granted access to the personal data of the users.
- Specify the types of personal data which you transfer to these companies.
- Specify the terms and conditions of data transfer to these companies.
4.2. Update your Terms of Service.
- Indicate that personal data is collected with the explicit consent of a user.
- Indicate that your website/app is available only for users who are more than 13-16 years (the minimum age varies from country to country). If you target children, the parental consent is required.
- Inform users what cookies are.
- Indicate the types of the cookies used by your website.
- Indicate the purposes of the cookies used.
- Create a checkbox to obtain the separate consent of the user for each specific purpose of the cookies.
5. Data security
5.1. Prepare personal data processing documentation.
- Appoint and document an official representative of the company in the EU.
- Appoint and document a DPO (Data Protection Officer) if your core activity involves personal data processing or monitor of the individuals on a large scale.
- Appoint an individual responsible for the personal data security.
- Identify and document the pseudonymization and encryption methods used.
- Establish procedures for security violation detection and prevention.
- Establish procedures for such violation consequences elimination.
- Establish a procedure for notification to the supervisory authorities in case of the data breach.
- Establish a procedure for notification to the users in case of the data breach.
5.2. Identify the tight spots in your current security system.
- Outdated data protection methods.
- Employee error.
- Cyber attack.
- Contractor negligence.
5.3. Remove all the vulnerabilities.
- If you’re lacking experts or expertise, bring in the lawyers and third-party developers who could choose the best legal and tech solutions on the criterion of price/time/quality.
The GDPR — is an important legal act determining the rules of the game in the digital European market. GDPR makes serious changes in lean and customary processes. The GDPR requires the involvement of both the technical experts and C-level executives. However, the GDPR is not another legal complication created to make business harder. Quite the opposite: the GDPR is all about the transparency and fairness in relation to the partners and users. The compliance with the regulation is the price of the reputation.
Keep in mind:
- If you work in the EU, you should be compliant with the GDPR.
- If you target the EU, you should be compliant with the GDPR.
- If you monitor the behavior of users living in the EU, you should be compliant with the GDPR.
- If you need a digital product and you don’t want to worry about whether it complies with the GDPR, work with professionals.