GDPR Compliance Checklist

This post is a compliance checklist and summarisation of the General Data Protection Regulation (GDPR).

I am not going to attempt to explain the ins and outs of what the GDPR is, I´m going straight for the facts and best practices you need to put in place to lessen the chances of incurring a business crippling fine. For more detailed information about the GDPR check out our page here.

This post is comprised of a series of questions, only you can know the answers, but if you don’t know the answer OIC Solutions can help.

• Do you want to avoid a potential fine of up to €10,000,000 or 5% of annual turnover?

• Do you want to avoid potential fine of up to €20,000,000 or 4% of annual turnover?

• Are you aware that with regards to GRPR compliance issues, you are presumed Guilty until proven Innocent?

• Did you know that GDPR compliance includes hard copy data as well as digitally stored data?

• Have you got the Board on board?
  • GDPR compliance starts from the top down of an organisation.

• Do you know what the term “pseudonymisation” means?

• Have you implemented the pseudonymisation of data?
  • Pseudonymisation means that you have anonymised data and data from more than one source is required to establish who the data relates to.

• Have you defined what “personal data” is within the context of your organisation?

• Have you searched for data, removed what is not required, anonymised and restricted access to what is left?

• Are you aware that a data breach is not just a “malicious hack” but would also include losing a laptop or USB or a train for example?

• Have you prepared for a data breach?

• Do you have formalised IT Security Policy´s in place? Shameless plug time!! OIC Solutions can create all the required IT Security policy´s for your organisation. You can contact us here.

• Do you have an “Incident Response” policy and plan in place?
  • Second and last shameless plug I promise. OIC Solutions includes a Incident Response policy as part of their policy creation service. You can contact us here.

• Have you aligned information security with a framework such as the ISO 27001?

• Is all customer related data retained in the EU?
  • Even if Brexit does finally happen, you will still need to be able to demonstrate GDPR Compliance because GDPR Is about EU Citizens data, not company locations.

• Do you have an audit trail demonstrating permission to contact customers / clients?

• Do you have a process to remove contacts from databases if they request removal?

• Do you have a named Data Protection Office (DPO) in you organisation?
  • • Public authorities that carry out large scale systematic monitoring or process special categories of data relating to criminal conviction / offences require a named DPO.
    • If you have > 5000 customers a named DPO is also required.
  • • If you are a Small or Medium Enterprise (SME) then you do not need a specific DPO.

• Have you implemented a data classification scheme and taken measures to secure and monitor access to data based on the assigned data classification?
  • A basic data classification could be defined as
    • Private – Only available for Internal staff, no outside distribution permitted.
    • Public – No restrictions and publicly distributable.
  • • Confidential – Only select internal staff may view.

• Have you implemented an Audit Trail of data access?
  • Log access (who? What? And Why?)
  • Log activity (view, edit, update, delete?)
  • Proof of deletion?

• Do you encrypt data? Can you demonstrate that data is encrypted?
  • Regardless of other process, implementing Encryption is your best defence against potential fines.
  • If you can demonstrate that data is encrypted – fines would be much lower. You would not need to notify affected data subjects of the breach. You would still need to notify regulator.

• Have you encrypted?:
  • Data at rest (Databases).
  • Logs.
  • Media files.
  • Backups.

• If you can answer these, you have start of the Data Protection (DP) policy.
  • How does data flow into your company?
  • How do end users make use of this data?
  • Where necessary, how does data flow out of your company?
• Have you implemented a privacy data management process in your organisation that covers the following requests?
  • Consent to contact.
  • Deletion of records (right to be forgotten).
  • Show individuals what data you hold about them.

Links to online resources

• The New EU Data Protection Regulation
  • https://youtu.be/TBh5hPynRzQ

• GDPR: Killing cloud quickly?
  • https://iapp.org/news/a/gdpr-killing-cloud-quickly/

• The GDPR’s impact on the cloud services provider
  • http://privacylawblog.fieldfisher.com/2016/the-gdprs-impact-on-the-cloud-services-provider/

• The GDPR’s impact on the cloud service provider as a processor
  • http://www.fieldfisher.com/media/3993765/the-gdprs-impact-on-the-cloud-service-provider-as-a-processor-mark-webber-privacy-data-protection.pdf

• The new EU General Data Protection Regulation in Under 60 Minutes!
  • https://youtu.be/NxgZ57BTkFQ

• General Data Protection Regulation Masterclass
  • https://youtu.be/1PkcBf9-iMY

• Bytes Webinar – GDPR Compliance The 12 Steps the ICO Recommend
  • https://youtu.be/uPQkMo0jZ6k

• Webinar: GDPR – how it applies to cloud, and what to do about it
  • https://youtu.be/1XwUwUnCeuA

• Charting the Course to GDPR: Setting Sail
  • https://youtu.be/fgDfyd__zIg

• Data flow mapping for EU GDPR compliance
  • https://youtu.be/EZFgrmzmPYE

• EU GDPR Webinar: The IT Manager’s guide to GDPR – Getting your department up to speed and ready
  • https://youtu.be/9hh5EDUWPGo

• Preparing for GDPR
  • https://www.clearswift.com/sites/default/files/documents/technical-guides/clearswift_gdpr_faq_v3.pdf

• Preparing for the EU General Data Protection Regulation (GDPR)
  • https://www.clearswift.com/sites/default/files/Clearswift_GDPR_WP.pdf

• EU General Data Protection Regulation (GDPR) Need to Knows
  • https://youtu.be/67i_Uw8UeUE
• AWS Whitepaper
  • https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Protection_Whitepaper_EN.pdf