GDPR Preparation Planning Checklist

The new General Data Protection Regulation (GDPR) impacts the way data is processed and the way people around the world do business.

For some, the GDPR reflects a growing organizational commitment to transparency, accountability, and the protection of privacy. Others will need to make significant changes to the data control and processing models - or block Europeans from accessing their website.

If you fall under the jurisdiction of the GDPR, the time for compliance was May 25, 2018.

Are you still getting up to speed with the legislation, opening up your site to EU citizens, or launching a new business altogether? Don't go live without complete a GDPR Preparation Planning Checklist.

Why is the GDPR So Important?

The GDPR isn't the first privacy regulation to place limits and safeguards on data processing activities. However, it is now the most comprehensive. It covers more ground and more people than previous iterations of European law or other comprehensive privacy laws like CalOPPA.

In addition to adding greater requirements from data processors, the GDPR also comes with a sincere focus on accountability. It manages the accountability with a series of fines for non-compliance.

Those fines can reach 4% of a company's annual turnover or a total of 20 million Euro - whichever is greater. Those facing the highest penalties will be data processors with flagrant and willful disregard of privacy law. Some infringements won't come with a fine but a warning, reprimand, cease and desist orders, or court orders for processes like rectification or erasure.

If you don't know whether you fall under the GDPR's jurisdiction or you know you do but have not yet prepared for the GDPR, keep reading. The EU is ready to impose sanctions - and your organization should be ready to be accountable if you process the data of European citizens.

GDPR Readiness vs. GDPR Preparation

You may have seen a series of GDPR Readiness checklists floating around in the lead-up and aftermath of May 25, 2018 - the day the legislation took effect.

A Readiness Checklist walks you through an assessment of your current practices, but it does not prepare you for meeting your obligations under the GDPR.

What will you find on a Readiness Checklist? It asks you to do things like:

• Identify the information you collect
• Identify all data processing methods
• Consider whether you need a Data Protection Officer
• Start compiling a GDPR Privacy Policy

A GDPR Preparation Planning Checklist goes one step further and begins to prepare you for actual compliance. It uses some of the data you collected during the Readiness stage and goes further to include reviewing rights and obligations, record keeping and more.

Unfortunately, the GDPR doesn't provide an official checklist for businesses to use to ensure compliance. Why? Because the GDPR acknowledges that organizations operate differently. Precise demands would make the law tricky to enforce. Instead, the GDPR took a method better described as "sweeping."

The GDPR impacts every area of data processing from collection to destruction. Your GDPR Preparation Planning Checklist needs to be equally comprehensive, but it also needs to be personal to cover your data obligations.

Principle Items in the Checklist

Because the GDPR covers the entire data processing lifespan, you'll find it's easier to break down the checklist according to essential principles. The principles added to the checklist include:

• Legal Basis for Processing
• Consent
• Information Provision
• Profiling
• Third Party Processing
• Data Security
• Transparency
• Records Management
• Documentation
• Data Breach
• Data Subject Rights

Let's take a look at each, one at a time.

Legal Basis for Processing

The GDPR requires you to have a legal basis for processing data. The lawful bases for processing data are:

1. Consent
2. Contract
3. Legal obligations
4. Vital interests
5. Public task
6. Legitimate interests

Starting with a review of your legal bases is important because it provides the foundation of your lawful ability to collect data in the first place.

After you determine your lawful bases you'll need to:

• Double-check that it's appropriate
• Explain to data subjects why you collect data when you collect it
• Have a Privacy Policy and share your lawful bases within it

Apple provides an example of the lawful bases it uses to collect data in its Privacy Policy:

Note that Apple says it uses consent and legitimate interests as its legal bases for using personal information.

Consent

If you use consent as your basis for data processing, and your consent mechanisms in place fall short of GDPR standards, you'll need to update them. You'll also likely need to seek new consent from existing data subjects.

You must also record and manage consent because users must be able to withdraw it at any time.

Make sure your consent mechanism does the following:

• Request consent using easy-to-read statements and explanations
• Get affirmative, clickwrap-level consent
• Provide granular options when asking for consent for different types of data
• Allow individuals to withdraw consent
• Make it clear that they can withdraw consent without negative repercussions
• Put in place appropriate consent measures for children
• Keep records of when and how you acquired consent
• Show individuals how to withdraw their consent
• Act quickly when receiving a consent withdrawal

You'll need to update your Privacy Policy to let users know that you're using consent and that they can revoke it at any time.

Microsoft provides a complete explanation called "How to access and control your personal data":

This clause lets users know how to opt out of different things they've maybe opted into such as receiving promotional emails and having their data used for interest-based advertising.

Disclosing Information

The GDPR requires you to provide certain pieces of information to your data subjects to enable them to use the rights granted to them by the law. You'll do this primarily through the development of a Privacy Policy.

Every data subject whose data you process must be keenly aware of:

• Who you are and how to contact you
• Your legal basis for processing personal data
• Which third parties you work with (if any)
• If you process data outside the EU
• Your data storage practices
• How they can exert their rights under the GDPR
• If and how you use automated decision making (more in Profiling)

In addition to providing the information in your Privacy Policy, you also need to provide this information upon request if an EU citizen asks.

Profiling

The GDPR regulates profiling, particularly when it occurs with automated decision-making tools.

Profiling is a form of evaluation or scoring. The data you profile might include behavior, health data, location, personal preferences, or economic situations.

Automated decision-making occurs when you use software or another service to make a decision online without any human intervention. For example, an online loan application that isn't manually approved or rejected by a loan officer is an example of automated decision-making.

To meet GDPR standards, you need to disclose if you engage in these types of data processing.

Here's how Unilever discloses its use of profiling and automated decision-making in its Privacy Policy:

Update your Privacy Policy to reflect this to your users, if applicable.

Data Protection Impact Assessment Procedures

The GDPR calls for a Data Protection Impact Assessment Procedure (DPIA) in a case where processing operations are "likely to result in high risk to the rights and freedoms" of individuals.

Some of the instances when this will be required will be when you:

• Use a new type of technology to process data that isn't proven to be fully safe or secure
• Process data for profiling purposes
• Process data on a very large scale
• Process data about criminal offenses and criminal convictions of individuals

If you're unsure about whether to carry out a DPIA, you should carry one out anyway. It's better to be on the side of caution rather than risk violating the GDPR and the rights of your data subjects.

Third Party Processing

Under the GDPR, you are responsible for how data you possess gets collected - even if you buy it from a third party.

Every third party processor relationship requires an evaluation of the party's compliance before you initiate or continue a working relationship with them.

If the third party will not provide you with verification of their GDPR compliance, don't work with them. Data you obtained without consent violates the GDPR even if you did not collect it yourself.

Don't forget to keep records of your third party audits to provide to EU citizens who request them and for your own security.

You'll also need to share how you work with third parties in your Privacy Policy. Here's an example from Vodafone:

The clause discloses that user information may be exchanged back and forth between the company and third parties.

Records Management

If you are a data controller or data processor, Article 30 has special instructions for your record keeping practices.

Data controllers must keep records of:

• Their name and contact details
• Their purpose for processing data
• A description of the categories of personal data and categories of data subjects
• The categories of what parties the personal data is ever disclosed to
• Transfers of data to third countries and safeguards in place (if applicable)
• How long the data will be kept before being erased (if possible)
• A general description of security measures in place

Data processors must keep records of:

• Their name and contact details
• Name and contact details for any processors or controllers the processor is working with
• Which categories of data is being processed for each controller
• Transfers of data to third countries and safeguards in place (if applicable)
• A general description of security measures in place

Note that organizations with less than 250 people don't have to keep these records unless the processing:

• Is likely to result in a risk to the freedoms and rights of the data subjects,
• Occurs more than just occasionally, or
• Includes special categories of personal data
• Includes personal data related to criminal offences and criminal convictions

Data Security

Information security plays a significant role in accountability under the GDPR. Although it does not outline explicit security requirements, failure to meet reasonable expectations of security can lead to GDPR violations.

Get compliant in data security by:

• Performing risk assessments of all data you have control over
• Documenting a security program that includes technical, physical, and administrative safeguards
• Documenting processes for receiving and resolving security complaints
• Ensuring the installation of industry standard safeguards and technologies (i.e. encryption)
• Providing for systematic destruction, erasure, or anonymization of data no longer needed
• Creating a plan for restoring personal data in the event of an incident

Transparency

Transparency is an overarching theme of the GDPR, and there are steps to take to make sure you reflect the principle both to your customers and your employees.

The best way to be transparent is to have a Privacy Policy that's accurate, up to date and written in language that's easy to understand. Make it easily accessible on your website or mobile app.

Documentation

Strict record keeping is a central component of the GDPR, and if you're not in the habit of keeping secure records yet, now is the time to start.

To comply with regulations, you'll need to produce the following documentation and maintain it:

• GDPR-Compliant Privacy Policy
• GDPR-Compliant Data Retention Policy
• Records of internal procedures
• Records of GDPR-compliant contracts with data controllers
• Records of GDPR-compliant contracts with third-party vendors
• Records of data breaches

Data Breaches

The GDPR requires you to respond to and report data breaches when those breaches meet certain requirements. To prepare yourself for the potential of a breach, your business needs:

• Documented privacy response plans
• Documented security response plans
• Procedures for notifying the supervisory authority
• Procedures for notifying data subjects
• Documentation procedures for data breaches
• Cooperation procedures between partners to deal with breaches and recover data

Review Articles 33 and 34 for specifics on communicating breaches.

Data Subject Rights

Chapter 3 of the GDPR is where you'll find more information about the rights of data subjects.

These rights are as follows:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Right to not have automated decisions made or be profiled

Note that not all of these rights apply in all situations, so become familiar with them to see which ones you need to facilitate.

To uphold these rights, you'll need to do the following:

• Inform data subjects of all rights (in your Privacy Policy)
• Offer a documented procedure for Subject Access Requests that allows a maximum one-month response time to requests made (See our article for guidance: How to Handle Privacy Access Requests Under the GDPR)
• Provide a procedure for data portability (if required)
• Offer controls and procedures to allow for deletion and rectification of data
• Create a system for human intervention in cases of automated processing (if applicable)

Questions to Ask Yourself

To ensure your GDPR Preparation Planning Checklist runs as smoothly as possible, ask yourself these essential questions during a privacy law self-audit.

1. Have we inventoried and mapped our data to produce a complete understanding of our data flow?

You can't begin to prepare without a complete understanding of the end-to-end cycle of the personal data you process. It's impossible to ensure compliance without a full understanding of how you collect data, what data you collect, where and how you store it, if it is transferred, and when and how you delete it.

Strive to be able to illustrate a data processing lifecycle for each type of data you collect.

2. Are our data collection practices transparent? What do we tell people and when? Do we share their choices with them?

Transparency is key from the start to end of the data processing lifecycle. The GDPR requires you to be up front and informative about what data you process, how you process it, and why.

It also requires you to let people know that they don't need to hand over their data to use your service.

You must make all this clear throughout your GDPR-related documents from your Privacy Policy to consent forms.

3. Are we collecting data we do not have immediate use for?

Return to question one and consider each type of data collected. Does every category have a strong legal basis for collection? Do you intend to use the data immediately?

If not, then the GDPR says you shouldn't collect it.

The legislation focuses heavily on data minimization. It's better to fall on the side of processing too little than processing far too much.

Birthdates are a good example. Does your organization need the user's exact birthdate, or would you be served just as well with the user's approximate age?

Zip codes are another good example. Do you need a person's full address, or could you get the job done just as well with just their zip code?

4. Do we need a Data Protection Officer?

Article 37 of the GDPR says you need a Data Protection Officer (DPO) if you carry out data processing activities that:

• Deal with specially protected categories of data (healthcare, genetic, children, geolocations, etc.),
• Handle large-scale processing of criminal data, or
• Engage in large-scale processing with regular monitoring (behavior tracking)

You also need a Data Protection Officer if you are a public body.

If you do need a Data Protection Officer, then the appointed person or body must fulfill the role according to the law.

Even if you don't need to fill the position, you may see benefits in hiring one because the role provides information and advisory support to data controllers and processors. In effect, they are experts on the GDPR and compliance and serve as useful resources.

5. Is our staff trained on the GDPR and compliance practices?

A strict GDPR implementation plan will go a long way towards ensuring EU citizens' rights and upholding your obligations.

However, it is also important that your data processing team (and relevant groups) are aware of the GDPR and how it impacts the way you operate to prevent serious mistakes.

Make sure your entire staff has at least some familiarity with the GDPR and how things may have to change in the office to stay compliant.

6. What is our plan for ensuring our vendors are also GDPR-compliant?

As a data controller or processor, you are also responsible for vendors and third-parties who access your data. If your vendors violate regulations, then you can be held liable.

Do you have GDPR-compliant contracts on file? What processes do you use to ensure vendors live up to their requirements? Only work with reputable third parties who can prove compliance.

By going through this checklist and really getting a grasp on your own internal data-handling procedures you'll be able to get closer to compliance, one aspect at a time.