GDPR Checklist

General GDPR Checklist

________

We have created this easy to use GDPR checklist to help you to understand what you need to be doing in regards to GDPR and Data Compliance.

GDPR is a complicated 88 page legal document that any organisation whom the legislation applies to needs to follow when handling the personal data of a person in the European Union. (If you are after a more detailed or specific checklist, check out our other articles)

Chapter 1: General Provisions

1.  The most important item to check on the GDPR checklist is: Does GDPR apply to your organisation?
2. Another important item to check, you need to have an understanding of the terms “personal data”, “Data Controller”, “Data Processor”, “rights and freedoms”, “supervisory authority” and “Processing Activity”.

Chapter 2: Principles

• Have you checked what activities your organisation does that involve personal data and made sure that your organisation:
  1. Has identified which of the six legal reasons for using data applies (check our article on the legal basis).
  2. Only uses personal data for the purpose it was collected for.
  3. Checks to make sure that personal data is fit for purpose and limited only to the information needed for that purpose.
  4. Has something in place to make sure that the data used is correct and up to date.
  5. Only keeps the personal data for as long as it is needed.
  6. Has taken steps to make sure that personal data is secure
• If your organisation uses consent, has it been checked that it meets the strict GDPR standards? (If you need help on this check out our articles on consent).
• Have you identified the types of personal data that your organisation holds? Remember if you hold data about criminal convictions and offences, child data or any of the special categories of data, there will be some extra hoops to jump through.

Chapter 3: Rights of a data subject

This chapter only applies if you are the controller of the data.

• Do people know that you are using their data?
• Do people know how to contact you?
• Do people know why you are using their data?
• Do people know who you share their data with?
• Do people know if you send their data abroad?
• Do people know how long you will be keeping their data?
• Do people know how you obtained their data?
• Do you have a process in place for allowing people to access the data you hold on them?
• Do people know that they can request access to the data you hold on them?
• Do you have a process in place for allowing people to request that you update or correct the data you hold on them?
• Do people know that they can request that you update/correct the data you hold on them?
• Do you have a process in place for allowing people to request that you delete the data you hold on them?
• Do people know that they can request that you erase the data you hold on them?
• Do you have a process in place for allowing people to request that you continue to hold but do not use the data you hold on them? (This is known as a restriction of processing).
• Do people know that they can request that you restrict the use of the data you hold on them?
• Do you have a process in place to notify people when you correct, update or erase their personal data?
• Do you have a process in place for allowing people to request that you transfer the data you hold on them to another organisation?
• Do people know that they can request that you transfer the data you hold on them?
• Do you have a process in place to handle people’s objections to your use of their data?
• Do people know that they can object to your use of their data?
• If you use automated decision-making, do you have a process in place for a person to make that decision instead of the automated decision-making if the person requests?
• Do people know that you use automated decision-making and what their rights are regarding this?
• Do you understand the situations where people’s data rights apply?

Chapter 4: Controller and Processor

• Has your organisation identified risks to the rights and freedoms of the people whose data it holds?
• Has your organisation taken appropriate steps to address these risks?
• When you are starting a new project, does your organisation include data protection as one of the key requirements?
• Does the organisation make sure that the default settings are most secure?
• Where your organisation shares its role as data controller with another organisation (commonly referred to as joint controllers), is there a process to determine who does what and who the points of contact are?
• Where your organisation is a joint controller, are people informed of this?
• If your organisation is based outside the European Union, has it designated someone to act as their representative inside the EU?
• Where your suppliers handle personal data, have you checked that they are protecting that personal data?
• Do you have a legal agreement with your suppliers to ensure that they will only use your personal data as instructed?
• Where your organisation is processing personal data for someone else do you have a process for getting authorisation for any of your suppliers to handle that same personal data?
• Where your organisation has over 250 employees, do you keep records of the activities you do that involve personal data?
• Where your organisation performs activities that pose a high risk to the rights and freedoms of people do you keep records of the activities?
• Where your organisation uses data regarding criminal offences and convictions or special categories, do you keep records of the activities that use this data?
• Where appropriate, do you use pseudonymisation and encryption to protect data?
• Where appropriate, are your organisation’s security systems strong enough to ensure personal data is not accessed, or tampered with and that the personal data is available when you need to use it?
• Where appropriate, does your organisation have the ability to restore data (e.g. backups)?
• Where appropriate, do you test the security measures?
• Does your organisation have measures in place to detect a data breach?
• When a data breach is detected, can your organisation report it within 72 hours?
• When a data breach is detected and the breached data puts people’s rights and freedoms at risk, can your organisation contact the affected people and provide them with advice?
• Where necessary, has your organisation carried out a data protection impact assessment?
• Where your data protection impact assessments have highlighted a high risk, have you consulted the supervisory authority?
• Has your organisation evaluated the needs and requirements for a data protection officer?
• If necessary, has your organisation appointed a data protection officer?
• Is the data protection officer free from conflict of interest? (A good rule of thumb is that the data protection officer should not be deciding how data gets used).
• Is the data protection officer qualified?

Chapter 5: Transfers of personal data to third countries or international organisations

• Have you identified all of the countries that your organisation transfers personal data to? (This will also include passing data to international organisations such as Google, Facebook and Microsoft).
• Do these countries meet one of the following criteria:
  1. The country is within the European Economic Area.
  2. The country is on the list of adequate countries.
  3. There are legally binding and enforceable appropriate safeguards protecting people’s data rights. (Binding corporate rules are also suitable).
  4. You have explicit personal consent to transfer their data to that country.
  5. The transfer is necessary to fulfil a contract with the person.
  6. The transfer is necessary for important reasons of public interest.
  7. The transfer is necessary for a legal claim, or defence of a legal claim.
  8. The transfer is necessary to protect someone’s life and the person is not capable of giving their consent.
• Finally, you should be aware that depending on your country, there might be a couple of small differences depending on how GDPR has become law. For example, in the UK GDPR is implemented via the Data Protection Act, which includes additional requirements such as having to pay an annual fee to their supervisory authority.

Thank you for reading our GDPR Checklist, if you have any questions or queries please call us on +44 (0)20 3457 4683 or email us on customer@gdpr123.com 

TOP SELLING PRODUCTS