A GDPR compliance checklist for evaluating your data strategy
The Looker Team
The General Data Protection Regulation (GDPR) represents one of the most comprehensive reforms to data regulation in recent times. It affects how companies around the globe approach their strategies for external data protections (like data security), as well as internal data access and usage. The purpose is to give EU and UK individuals more transparency and control over their personal data. Additionally, it modernizes and consolidates the data protection rules of individual EU Member States under the previous EU Directive into a single regulation.
As your business continues to grow and change, it will be necessary to add or remove technology, people, and processes to better serve your data needs. And since GDPR is an ongoing process requiring a blend of all these factors, it is a project that can’t ever be fully completed. Businesses that handle personal data of citizens of the EU and UK must comply with the requirements of the legislation or face fines, which can cost up to 20 million Euros or 4% of global revenue.
GDPR compliance checklist
More than just avoiding monetary penalties, organizations across industries have an opportunity to appeal to consumers worldwide as a champion of consumer privacy through GDPR compliance. If you are curious as to whether or not your business is meeting GDPR compliance regulations, the following checklist can help you better understand GDPR requirements and the steps your business should take in order to execute those priorities.
Hire a data protection officer (DPO)
GDPR compliance requires that companies who process or handle personal data and have more than 10-15 employees must appoint a Data Protection Officer (DPO). A DPO will help with the maintenance and regular monitoring of data subjects as well as the processing of special categories of data on a large scale.
Data privacy design & assessment
Privacy processes need to be designed with privacy protection in mind and must be applied by default whenever new products or services are released to the public. In addition, data processes having to do with the entire supply chain need to be assessed and audited in order to prevent internal and external breaches from occurring.
Data governance
Data governance involves the people, processes, and technologies required to create consistent and proper handling of organizational data across the business. Companies must maintain current documentation of their data supply chain, such as data flow maps and data inventories, from the time of data collection to erasure. Keeping documentation up to date allows for the continued governance of what data is being collected, why it is collected and how it will be used, where that data lives, how it’s secured, how access is controlled, and how it will be erased when requested or upon expiration.
Get consent for data collection, retention & erasure
GDPR Compliance should improve transparency and give consumers more control over their data. In order to check this box off a data protection checklist, companies must obtain customer consent before collecting and storing data. Beyond data collection, personal data must have an expiration date and provide users the ability to request that their data be deleted, overriding rights of the data controller.
Compliance, auditing & record keeping
Data controllers must be able to prove that their organization is up to speed on how to comply with GDPR regulations. To do this, data controllers should regularly audit their own privacy protection practices and keep stringent records of all data that is held, the processing of that data, details of the transfer of data to other countries, and details of activities relating to personal data using Identity and Access Management (IAM).
Data breach obligations
Although this may be the last item on our data protection checklist, it might be one of the most important. In the event of a data breach, companies should be prepared to notify regulators within 72 hours, as required under GDPR regulation, as well as the notify the individual whose data has been breached ‘without undue delay’.
The GDPR is a complex set of regulations, and every company's approach to GDPR compliance will be unique. Companies should work with their own advisors to determine how best to comply with the GDPR requirements list.