The last minute GDPR checklist
With only a month left getting ready for GDPR is essential. On May 25th the new EU General Data Protection Regulation will get into full effect and from this date on huge fines can be imposed upon those companies that take data protection not seriously. A last check if your GDPR implementation is accurate and secure is therefore a good thing to do for the time left. That is what our checklist is for! You should use it a guideline of what you – at least – look for and – if it you haven’t done so already – implement until the May 25th deadline.
- Check if your businesses regularly or systematically collects personal information of EU subjects on a large scale
What seems kind of a simple question is actually the main reason for being forced to be compliant to the new GDPR regulation. If you do not reside inside the EU and you do not do business with EU companies, than the GDPR has no effect on you. But if you are doing business with European companies than you should comply with the new regulations. If you process personal data of any EU data subjects you are required to follow the security requirements of the GDPR article 30 as well as other points laid down inside the regulation.
- Check where your sensitive data is stored
It is essential to know where sensitive personal data is actually stored in your systems. Without this information you are lost! Because oft he fact that EU individuals can demand that their stored information should be erased for good, you should be 100% that you know every storage position of where that individual data is located, so that you are able to erase that data within a very short time frame.
- Be able to access, erase and chance personal data quickly
Additionally since with GDPR individuals have enhanced rights to access their information, you should be able to have inaccuracies corrected, have information erased, stop direct marketing information delivery and automated data collection with personal information within a short time frame.
- Check if your IT solutions and processes implement “privacy by design”
In article 25 the GDPR introduces the concept of data protection through technology design and privacy-friendly presets. This concept take up the idea that data protection can best be adhered to if it is already technically integrated when a data processing operation is being developed. That means that data protection measures are best integrated within your IT system and with the proper organisational processes before the system goes life for the first time.
If this is not possible because your IT system will run for several years to come, you are forced to implement appropriate technical measures to safeguard the rights and freedoms of data subjects.
In any case when implementing an IT system that gathers, stores or processes personal information you should make a solid assessment of the risks to these rights and freedoms by the chosen solution.
- Have a working data erasure solution within your IT system in place
One of the main aspects of the GDPR regulations is the right of an individual for their own personal data. In business reality this means, that if you do not have a rightful necessity to obtain personal data anymore such as other legal grounds or laws, the former partner, employee or client can demand you to securely erase his data.
As previously said, the exact storage places were this data is located must be known at any given time. That can be achieved by various data management solutions. However once the data is located, it should be securely erased by a professional software solution like the ones from Blancco or Ontrack. One of the main benefits is that they not only offer erasures on a technological high level but can also offer a later proof that the data was successfully erased when needed later on. Therefore it makes perfect sense to integrate one of these erasure solutions in the whole data management life cycle and is IT processes and solutions.
- Implement a data breach response plan
Once a data breach is discovered, under the new regulation the effected company is required to report the data breach to the national data protection agency of his country. Therefore one main purpose of the data breach response plan is to find out the impact oft he breach and whether sensitive data pertaining to EU citizens was compromised. Additionally the plan should contain measures that can be quickly implemented to curb and prevent that more sensitive data vanishes through that breach.
And finally – if you haven´t done so already – you should:
- Appoint a Data Protection Officer
A Data Protection Officer (DPO) is required by GDPR for all organisations, if …
- The organisation that is processing data is a public authority. (Exception: Courts)
- The company or organisation is processing data on a large scale and the processing operations require „by virtue of their nature, their scope and/or their purposes“ regular and systematic monitoring of the data subjects and
- The firm or organisation is processing large amounts of personal and sensitive data such as all data that is revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health conditions etc. as well as data that is related to criminal convictions and offenses.
In short big enterprises are required to have a DPO. The main task of the DPO is to take care that in your company the proper processes for the lawful handling of data under GDPR are in place and working. Additionally he has to permanently monitor both the processes and the current and new incoming data so that the data management is always within the regulations.
Conclusion: With only a little than one month time, you should check if the above points in your company have already been handled. The much tougher fines of GDPR that can reach up to 4 percent of the worldwide turnover require you to check beforehand as many times as you can if you are compliant with these regulations. If you have some of these items stated here still missing, you should hurry up now!
Picture copyright: qimono /pixabay.com