GDPR Compliance checklist
Are you ready for GDPR?
The European Parliament adopted The General Data Protection Regulation GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
Starting on May 25th 2018, all business in the EU will need to comply with the new GDPR regulations, or face sanctions, ranging from a simple warning in writing of non-compliance to up to $20 million EUR or 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
To help you get prepared, here's a quick checklist to survive this new regulation:
GDPR Compliance checklist
1) Awareness and communication
Develop an Information Security Policy so that all employees understand GDPR and communicate with services and staff about why you are collecting data.
Develop a culture of privacy within the company, to implement data protection by design and by default.Analyse and track a list of all sensitive data you store and process, and identify who is responsible for this data. Customer data needs to be retained on servers that are physically located in the EU, even if processed as part of a global product or service.
Review your current privacy/security procedures and rework the wording to make them compliant.
In particular, existing procedures need to include specific provisions to cover all the data points in the GDPR regulation, or be fully rewritten to fully comply.
Develop an IT strategy to implement data protection, back ups and a rescue plan to guarantee business continuity in case of a data breach.
Ensure your customers actually consent to you processing their data, and/or work with a legal firm to guarantee the data is gathered fairly and complies to GDPR guidelines.
Implement procedures to handle emergencies and data breaches, make sure you are able to communicate efficiently with the outside world within 72 hours.
Carry out a data protection impact assessment, a threat modelling and risk aversion program to minimize risks of a data breach.
Appointing a DPO is mandatory under the GDPR regulations, make sure you find the right person for the job.