This post is a compliance checklist and summarisation of the General Data Protection Regulation (GDPR).
I am not going to attempt to explain the ins and outs of what the GDPR is, I´m going straight for the facts and best practices you need to put in place to lessen the chances of incurring a business crippling fine. For more detailed information about the GDPR check out our page here.
This post is comprised of a series of questions, only you can know the answers, but if you don’t know the answer OIC Solutions can help.
- Do you want to avoid a potential fine of up to €10,000,000 or 5% of annual turnover?
- Do you want to avoid potential fine of up to €20,000,000 or 4% of annual turnover?
- Are you aware that with regards to GRPR compliance issues, you are presumed Guilty until proven Innocent?
- Did you know that GDPR compliance includes hard copy data as well as digitally stored data?
- Have you got the Board on board?
- GDPR compliance starts from the top down of an organisation.
- Do you know what the term “pseudonymisation” means?
- Have you implemented the pseudonymisation of data?
- Pseudonymisation means that you have anonymised data and data from more than one source is required to establish who the data relates to.
- Have you defined what “personal data” is within the context of your organisation?
- Have you searched for data, removed what is not required, anonymised and restricted access to what is left?
- Are you aware that a data breach is not just a “malicious hack” but would also include losing a laptop or USB or a train for example?
- Have you prepared for a data breach?
- Do you have formalised IT Security Policy´s in place? Shameless plug time!! OIC Solutions can create all the required IT Security policy´s for your organisation. You can contact us here.
- Do you have an “Incident Response” policy and plan in place?
- Second and last shameless plug I promise. OIC Solutions includes a Incident Response policy as part of their policy creation service. You can contact us here.
- Have you aligned information security with a framework such as the ISO 27001?
- Is all customer related data retained in the EU?
- Even if Brexit does finally happen, you will still need to be able to demonstrate GDPR Compliance because GDPR Is about EU Citizens data, not company locations.
- Do you have an audit trail demonstrating permission to contact customers / clients?
- Do you have a process to remove contacts from databases if they request removal?
- Do you have a named Data Protection Office (DPO) in you organisation?
-
- Public authorities that carry out large scale systematic monitoring or process special categories of data relating to criminal conviction / offences require a named DPO.
- If you have > 5000 customers a named DPO is also required.
-
- If you are a Small or Medium Enterprise (SME) then you do not need a specific DPO.
-
- Have you implemented a data classification scheme and taken measures to secure and monitor access to data based on the assigned data classification?
- A basic data classification could be defined as
- Private – Only available for Internal staff, no outside distribution permitted.
- Public – No restrictions and publicly distributable.
-
- Confidential – Only select internal staff may view.
- A basic data classification could be defined as
- Have you implemented an Audit Trail of data access?
- Log access (who? What? And Why?)
- Log activity (view, edit, update, delete?)
- Proof of deletion?
- Do you encrypt data? Can you demonstrate that data is encrypted?
- Regardless of other process, implementing Encryption is your best defence against potential fines.
- If you can demonstrate that data is encrypted – fines would be much lower. You would not need to notify affected data subjects of the breach. You would still need to notify regulator.
- Have you encrypted?:
- Data at rest (Databases).
- Logs.
- Media files.
- Backups.
- If you can answer these, you have start of the Data Protection (DP) policy.
- How does data flow into your company?
- How do end users make use of this data?
- Where necessary, how does data flow out of your company?
- Have you implemented a privacy data management process in your organisation that covers the following requests?
- Consent to contact.
- Deletion of records (right to be forgotten).
- Show individuals what data you hold about them.
Links to online resources
- The New EU Data Protection Regulation
- GDPR: Killing cloud quickly?
- The GDPR’s impact on the cloud services provider
- The GDPR’s impact on the cloud service provider as a processor
- The new EU General Data Protection Regulation in Under 60 Minutes!
- General Data Protection Regulation Masterclass
- Bytes Webinar – GDPR Compliance The 12 Steps the ICO Recommend
- Webinar: GDPR – how it applies to cloud, and what to do about it
- Charting the Course to GDPR: Setting Sail
- Data flow mapping for EU GDPR compliance
- EU GDPR Webinar: The IT Manager’s guide to GDPR – Getting your department up to speed and ready
- Preparing for GDPR
- Preparing for the EU General Data Protection Regulation (GDPR)
- EU General Data Protection Regulation (GDPR) Need to Knows
- AWS Whitepaper
Summary
Article Name
GDPR Compliance Checklist
Description
This post is a compliance checklist and summarisation of the General Data Protection Regulation (GDPR).
Author
Mark WH
Publisher Name
OIC Solutions