Anyone who works with collecting and processing personal data faces a challenge when it comes to GDPR compliance.
At first glance, it seems complicated, so the IO Technologies team is here to sort things out.
Here is a short list of tips on what you should do to prepare for May 25, 2018, the day when the new regulations will take effect. Time’s running out and the deadline is almost here. So, if you are involved in personal data processing, become GDPR compliant or stop completely. The penalties for non-compliance are huge and could cost you €20 million to 4% of your annual turnover.
However, keep calm and continue reading, as proper preparation will help you avoid fines.
GDPR Compliance Checklist
1. Designating a DPO
This is needed for public authorities and companies whose core activity is data processing and regular data monitoring. This person has to monitor whether there are conflicts of interest and if personal data is being processed in adherence to the law. Without a specialist you may be overwhelmed by the sheer number of regulations and make a mistake.
TO DO: Ensure your DPO works in close collaboration with every team responsible for data collecting and processing. The best results are achieved via team work.
A data processor must inform the owner of personal data about what data is collected and for what purpose. Companies must receive clear consent for further data processing. Due to this, GDPR compliant firms should use simple and plain language while creating user agreements and include unmarked checkboxes. If data is required of children under 16, you will need to seek parental consent.
TO DO: Check your user agreement. Is it easy-to-understand for your clients? Does it provide them with information about protecting their personal data and digital rights? Please note, it can/will be checked by a reviewing authority.
3. Explicit consent.
This point is one of the most important in our GDPR compliance checklist. Explicit consent differs from ordinary user agreements, they are more detailed and concern sensitive personal data such as religious and political opinions, sexual orientation, etc. It is crucial that every point be written separately with its own checkbox, as a client must agree to provide you with each piece of data.
TO DO: List every point in separate lines followed by checkboxes explaining why you need that information from your client.
4. Tracking of data usage.
Clients need to be sure the collected data can be managed, corrected, used, or deleted. Companies have to provide EEA residents with their data, review and/or reject it by a client’s request. Explaining customers the details on using their personal data can be necessary too.
TO DO: Check if you can provide people with this information in a simple way. Make sure whether clients can request to change or delete their data and this can be done quickly.
5. Using standard data-protection clauses.
According to the EU commission, it is an import/export contracts hybrid. These are the clauses that explain what happens to data after a company imported or exported it. A Personal Data Protection (PDP) agreement is signed when a transfer of data between EU and non EU objects occurs. The legislation covers the entire EEA zone, not only the EU, as it is written on GDPR official website. If you transfer data outside the EEA, you must sign this agreement.
TO DO: As previously mentioned, companies need to sign the data protection clauses if they transfer data outside the EEA. However, it is better to sign PDP agreements with every client.
6. Hiring an EU representative.
Companies operating outside the EEA need to have a representative within the country they operate. This representative has to be physically present in the EU and consult the company regarding all GDPR-related questions. The main difference between a DPO and an EU representative is their location. For example, a DPO may be located outside the EEA, but a representative must reside in the EEA.
TO DO: If your company is located outside the EEA, search for an EU representative and hire them. Ask your EU representative for any further assistance.
A bonus: a short & useful infographic on DO’s and DON’Ts.
The bottom line
Our GDPR compliance checklist is a brief version of the main statutory provisions of the new regulations. As for a detailed list of actions, there are no universal solutions, as every company has its own specifics and needs a DPO to manage it.
Approaches to storing and processing data vary from company to company, as every separate firm needs different personal data types for various time periods.
The IO Technologies team intends to help your company. Use our tips you will come closer towards being GDPR compliant by May 25.
If you want to know more about the GDPR, find our article about its basics and principles or the detailed FAQ.