GDPR Compliance Checklist

Vector Image of a business owner implementing GDPR Compliance Checklist
DIY GDPR Compliance Checklist

Being the most stringent privacy security compliance in the world isn't easy. But GDPR surely lives up to the title. With over a hundred articles and several clauses defining each aspect of an ideal GDPR-compliant entity, GDPR is definitely challenging to adhere to.

Thus, to ease GDPR compliance, here is a checklist of tasks you must complete to adhere to GDPR compliance benchmarks. Consider these as milestones to reach to achieve your GDPR Compliance.

Why should you be GDPR compliant?

GDPR is a European Union (EU) legislation that prohibits any business with an EU resident, permanent or temporary if certain rules and regulations are not being followed. It is essential, especially for cloud-hosted companies that acquire, process or share EU residents' data with third-party vendors.

Any violations result in severe financial penalties and may lead to the website or app being blocked from the EU countries or lawsuits. Violation of the GDPR incurs heavy penalties between €10 million and €20 million, or 4% of your cloud-hosted company's annual global turnover.

DIY GDPR Checklist

You could get GDPR compliant all by yourself, through some agency, or by a consultant. Either way, you will need to have a checklist that you can use to confirm your compliance with each of the GDPR benchmarks.

Raise Awareness

GDPR Compliance is a complete organizational exercise. This means that it is not just limited to the C-level Executives and the DPO.

Awareness must be spread throughout the organization regarding the attempt to become GDPR compliant. Each resource of the organization must be put to use and the entire team should work in a collaborative manner.

Compartmentalization is obviously essential to prevent any form of a data breach, but at the same time awareness, must be raised within the organization about data security and protection. It is another way to bottleneck any potential vulnerabilities.

  • Identify the areas that could cause non-compliance with GDPR including your risk register.

  • Physically secure the office devices and equipment from any danger of theft.

  • Compartmentalize data, and make sure that only those employees are given clearance to access certain data, for whom it’s absolutely necessary. Restrict access as much as you can without hurting the company’s margins.

  • Make sure that the third-party entities are also GDPR compliant.

Maintain a record of the data processing flow

Your organization must have clear records of the data processing activities of the users. How is the user data handled, where is it stored, and for how long? All these questions must be well understood and answered for your cloud-hosted company. Following is some of the information regarding your organization that you must document.

  • Departments in your Organization

  • Type of Personal Data you process

  • Data Processing Procedure

  • Employees with the clearance to process data.

Compile this information consistently ad update it routinely.

Review Current Privacy Notices

The consent request and privacy notice you will be giving out must be in clear, concise, and unambiguous language. GDPR mandates that organizations go the extra mile in providing relevant information regarding data acquisition, processing, and sharing to data subjects. Here are some of the questions, the answer to which GDPR asks you to provide.

  • Why do you need personal data?

  • How are you gathering the personal data?

  • How long will the personal data stay in the system?

  • What does the organization intend to do with the personal data?

  • What are the rights of the users?

  • How can user withdraw their consent later if they want?

The same should be done for Cookie Consent Request and Cookie Policy. As per GDPR, the following information must be included in the cookie consent banner.

  • Why do you need to store cookies?

  • The cookies the website wants to use.

  • How users can decline the cookie consent request?

Accountability and Administration

Bring the stakeholders under one roof to address and assign tasks. Appoint one person to look after the GDPR compliance criterion across the organization. Implement an agreement between your organization and any third-party vendors to ensure data processing and sharing are being done within the GDPR guidelines. Also, appoint a data protection officer (DPO). Following are the conditions for the appointment of a DPO.

  • The organization is a public authority.

  • The core working of the organization includes user data collecting, processing, and sharing that requires regular monitoring.

  • The user data here is the user's personal and sensitive information, including name, photos, email, banking info, social media posts/info, medical history, or IP Address.

The organizations will also need to appoint a representative of theirs in the EU. This representative will deal with the GDPR enforcing authorities on the behalf of your organization.

Privacy Rights

Websites should have their own Privacy Policy, which is easily and freely accessible by anyone visiting the website. It should also be drafted and passed as per the GDPR mandates. It should be clear, concise, and unambiguous, addressing people's legal rights, what information you will need from them, and how you will use it.

In a nutshell, it should point out to the data subjects why the data is being asked, how it will be acquired when they will keep it, who it is shared with, and how they can withdraw their consent at any time.

  • Users know what information your organization has about them.

  • Users can change the personal and sensitive information they provide you whenever they want.

  • They can request to delete their personal and sensitive data whenever they want.

  • They should be able to ask you to halt data processing, acquiring, or sharing whenever they want.

  • They can receive a copy of the data they shared with you and the data variables corresponding to it.

  • Users should also be able to object to any data-related activity your organization plans to do.

  • Users can withdraw their consent whenever they like, and in the case of automated consent, they should have a particular framework reciting their rights and freedom privileges.

Ensuring Transparency

Data Abstraction is necessary to have the edge over your competitors, but it is also essential that you don't compromise with ethics.

  • You will need to conduct an inter-organizational audit to track the data flow within your organization and rate each area according to its vulnerability. Have a legal justification for the data acquisition, processing, and sharing that you require.

  • Data Mapping is essential to ensuring swift GDPR compliance. Following are some of the areas that are often vulnerable and will require attention for data mapping.

  • Source of Data: The data you recovered when a visitor on your website/app filled a list, a form, and accepted cookie consent. It may also come from an external third party?

  • Personal Data: Personal Data includes physical addresses, email addresses, IP addresses, health information, criminal records, phone numbers, place of work, etc. What are you collecting? Do you have consent?

  • Justification: This should be the most straightforward step in data mapping. Why do you want/have this information? Why is it needed?

  • Data Storage: Cloud-based Companies beware, storage can be physical like printed documents, locally stored on a computer owned by your organization, or remote like on the cloud. Who can access this data from your side, both within and out of your company? What measures do you implement to protect this data?

  • Right to Erasure: As per GDPR, individuals have a right to withdraw their consent and have their Personal Data deleted from the Company database. How will you handle these requests, and how long will it take to complete them?

Procedure for Breach Notification

In case of a data breach, the organization has to inform all its users about the breach and the data affected within 72 hours of the discovery. The relevant mediums that can be used for this purpose include Email, Phone, and Public Announcements.

Thus, there should be measures in place through Data Mapping to quickly generate a report of the privacy breach and a way to send the notification within the time period.

Become GDPR compliant in a few steps with Scrut

GDPR compliance may seem daunting at first, but we at Scrut Automations are experts at it. We take over the compliance responsibilities and make you GDPR compliant steadfastly.

Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.


Recent Posts

See All