GDPR Compliance Checklist

This post is a compliance checklist and summarisation of the General Data Protection Regulation (GDPR).

I am not going to attempt to explain the ins and outs of what the GDPR is, I´m going straight for the facts and best practices you need to put in place to lessen the chances of incurring a business crippling fine. For more detailed information about the GDPR check out our page here.

This post is comprised of a series of questions, only you can know the answers, but if you don’t know the answer OIC Solutions can help.

  • Do you want to avoid a potential fine of up to €10,000,000 or 5% of annual turnover?
  • Do you want to avoid potential fine of up to €20,000,000 or 4% of annual turnover?
  • Are you aware that with regards to GRPR compliance issues, you are presumed Guilty until proven Innocent?
  • Did you know that GDPR compliance includes hard copy data as well as digitally stored data?
  • Have you got the Board on board?
    • GDPR compliance starts from the top down of an organisation.
  • Do you know what the term “pseudonymisation” means?
  • Have you implemented the pseudonymisation of data?
    • Pseudonymisation means that you have anonymised data and data from more than one source is required to establish who the data relates to.
  • Have you defined what “personal data” is within the context of your organisation?
  • Have you searched for data, removed what is not required, anonymised and restricted access to what is left?
  • Are you aware that a data breach is not just a “malicious hack” but would also include losing a laptop or USB or a train for example?
  • Have you prepared for a data breach?
  • Do you have an “Incident Response” policy and plan in place?
    • Second and last shameless plug I promise. OIC Solutions includes a Incident Response policy as part of their policy creation service. You can contact us here.
  • Have you aligned information security with a framework such as the ISO 27001?
  • Is all customer related data retained in the EU?
    • Even if Brexit does finally happen, you will still need to be able to demonstrate GDPR Compliance because GDPR Is about EU Citizens data, not company locations.
  • Do you have an audit trail demonstrating permission to contact customers / clients?
  • Do you have a process to remove contacts from databases if they request removal?
  • Do you have a named Data Protection Office (DPO) in you organisation?
      • Public authorities that carry out large scale systematic monitoring or process special categories of data relating to criminal conviction / offences require a named DPO.
      • If you have > 5000 customers a named DPO is also required.
      • If you are a Small or Medium Enterprise (SME) then you do not need a specific DPO.
  • Have you implemented a data classification scheme and taken measures to secure and monitor access to data based on the assigned data classification?
    • A basic data classification could be defined as
      • Private – Only available for Internal staff, no outside distribution permitted.
      • Public – No restrictions and publicly distributable.
      • Confidential – Only select internal staff may view.
  • Have you implemented an Audit Trail of data access?
    • Log access (who? What? And Why?)
    • Log activity (view, edit, update, delete?)
    • Proof of deletion?
  • Do you encrypt data? Can you demonstrate that data is encrypted?
    • Regardless of other process, implementing Encryption is your best defence against potential fines.
    • If you can demonstrate that data is encrypted – fines would be much lower. You would not need to notify affected data subjects of the breach. You would still need to notify regulator.
  • Have you encrypted?:
    • Data at rest (Databases).
    • Logs.
    • Media files.
    • Backups.
  • If you can answer these, you have start of the Data Protection (DP) policy.
    • How does data flow into your company?
    • How do end users make use of this data?
    • Where necessary, how does data flow out of your company?
  • Have you implemented a privacy data management process in your organisation that covers the following requests?
    • Consent to contact.
    • Deletion of records (right to be forgotten).
    • Show individuals what data you hold about them.

Links to online resources

Summary
Article Name
GDPR Compliance Checklist
Description
This post is a compliance checklist and summarisation of the General Data Protection Regulation (GDPR).
Author
Publisher Name
OIC Solutions

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close