GDPR Readiness Checklist
Preparing your business to support an international audience is a daunting process. Many think of the European Union's General Data Protection Regulation (GDPR) as a big scary monster that lurks just out of reach, impossible to understand, much less conform to. The truth is, it will be a massive undertaking, and there is no rushing GDPR compliance. However, this world-changing regulation can be understood and well-prepared for.
Before you go rushing in to add haphazard consent forms and cookie banners to your website, you'll need to do a full analysis of your data processing methods and databases to make sure that your business is ready to support GDPR compliance, from the inside-out.
We'll show you what to focus on and how to get started with compliance.
- 1. Why is the GDPR Such a Big Deal?
- 2. What's the Difference Between Readiness and Preparation?
- 3. GDPR Compliance Readiness: Questions to Ask Yourself
- 3.1. 1. Have you performed a comprehensive data audit?
- 3.2. 2. What's your legal basis for processing data?
- 5. Create Compliant Cookie Consent
- 5.1. 3. Is your organization prepared to uphold EU consumer rights?
- 5.2. 4. Are your data security measures up to standards?
- 5.2.1. Assessing the Risk
- 5.2.2. Have a Data Protection Policy
- 5.3. 5. Can your business legally make international data transfers?
- 5.4. 6. Are Data Processing Agreements established with data processors?
- 5.5. 7. Does your team know how and when to perform a Data Protection Impact Assessment?
- 5.6. 8. Do employees know who to go to with data processing questions and concerns?
Why is the GDPR Such a Big Deal?
You know by now that the GDPR will likely affect the way you do business, and there's no avoiding it. But what makes it so impactful is the combination of international reach and massive fines for infringement. The GDPR is the first privacy regulation in history with the capacity to enforce both its stipulations and its monetary penalties on virtually any company in the world.
In short, if your business collects so much as an IP address from an EU resident, you will be required to comply with the GDPR. There are a few exemptions, but for the most part, the GDPR reaches far and wide.
Even if you are based in the USA, it would be hard to guarantee that no EU resident will ever stumble upon your website. In today's global marketplace, the GDPR has international reach. With penalties for infringement reaching up to €20 million in administrative fines, compliance is a small price to pay.
What's the Difference Between Readiness and Preparation?
In this article, we've put together a GDPR Readiness Checklist that will give your team direction as they examine every aspect of the business's data processing practices, databases, security measures, and more. A GDPR Readiness Checklist is not to be confused with a GDPR Preparation Checklist, which is a list of the final actionable items that will need to be completed in order to achieve GDPR compliance.
Before you can even begin to check off a list of GDPR compliance guidelines, you will have to be intimately familiar with how your data processing is defined under the GDPR, if your security measures and data handling techniques are sufficient to satisfy GDPR standards, and which requirements will apply to your business.
Once you have completed the readiness checklist outlined below, your team will be well prepared and informed enough to begin checking off action items on the final GDPR Preparation Checklist (linked above).
GDPR Compliance Readiness: Questions to Ask Yourself
For the purposes of this article, we will assume that your business is the data controller or owner of the personal data you process for data subjects (consumers). If you are a data processor handling data on behalf of the controller, many of the same steps will apply, but the roles and responsibilities may change. Be sure to establish and understand your responsibilities according to the role of your organization with regard to personal data processing.
Each section below presents a question that will need a thorough and complete answer before GDPR compliance preparation can begin.
If you've approached your business through the lens of Privacy by Design, you'll have an advantage here. If you haven't, you need to start. Keep in mind the principles of PbD when reviewing these questions.
1. Have you performed a comprehensive data audit?
This is possibly the most important and the most time-consuming part of any GDPR Readiness Checklist. It will be necessary to analyze every aspect of the personal data that your company collects, processes, and stores.
Conduct a privacy law self-audit to find out these important details.
Here are some specific details that will need to be identified and evaluated:
- Identify data subjects: Whose personal data are you collecting? Identify what kind of people are in your database, such as if the data subjects are employees, customers, clients, or otherwise. Pay special attention to vulnerable individuals, such as children or the mentally ill, as vulnerable data subjects are entitled to a different set of data protection rights under the GDPR.
- Categories of personal data: Identify each category of personal data you collect and make a list of the elements in each category. For example, anonymous data would include elements like IP address, username, and geolocation; while contact details would include name, address, and email.
- Sources of data: How do you collect personal information? Establish whether or not data is collected through a third-party, digitally, in-person, and so forth.
- Purposes for which data is processed: For each category of data, document what the data is used for, such as data collected for HR purposes, order fulfillment, marketing analysis, and so on.
- Lawful basis for processing: Once the purposes for data processing have been documented, you will need to define the lawful basis for each of those purposes. You can read more about lawfull bases in the next section of this article.
- Identify special categories of data: If your company collects information that the GDPR defines as a "special categories of data" such as race, religion, or sexual orientation, make a note of all personal data that would be included under this special category.
- Lawful basis for processing special categories of data: Processing special categories of data is only allowed under specific circumstances. Ascertain whether or not your business has a lawful basis for processing special categories of data.
- Data retention: How long will data be retained? Describe your data retention policy including how long you store data and how it will be destroyed at the end of the retention period.
- Data storage: Where and how is data stored? How is it secured?
- Sharing of personal data: Identify any third parties that have access to the consumer database and explain why personal data is shared.
Yes, that is a lot of information to gather. It will be time consuming, but once a data audit has been completed, many of the questions contained in the remainder of this readiness checklist will be easier to answer. You need to have a good grasp on all of the above before you can really take next steps.
2. What's your legal basis for processing data?
It is not lawful to collect or process the personal information of EU residents without a valid legal basis for doing so. Before going any further, you have to establish which legal basis or bases are considered valid for the type of data processing your business performs. These are the six legal bases that the GDPR establishes as valid justification for processing consumer data:
- If the consumer gives their consent to allow data to be processed for a specific purpose, such as when a website visitor voluntarily signs up and consents to receive promotional email newsletters from a company.
- If the data processing is performed to fulfill a contract or in order to establish a contract between the data controller and the data subject, such as a banking customer submitting their information to a bank in order to set up a new checking account.
- In order to fulfill a legal obligation, for example when a police organization requires the criminal background information of an accused suspect.
- To protect the vital interests of consumers, as would be necessary if emergency room personnel needed to access the medical history of a critically-ill patient.
- If the data processing is necessary to serve the public interest or on behalf of a government entity, such as processing consumer data in order to deliver the mail on behalf of a national postal service.
- Under certain restrictions, personal data may be processed for purposes of the legitimate interests of the data controller, but not if those legitimate interests impede upon the rights and freedoms of individuals or especially children.
If you're not sure what legal bases your own data processing activities fall under, it would be advisable to consult with a Data Protection Officer (DPO) or privacy law expert to make sure your company is processing data under a lawful legal basis.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Consent as a Legal Basis
If consent is the legal basis your business uses for collecting and processing data, you may have some work to do.
Here are some requirements that the GDPR sets in order for consent to be considered valid:
- You must show a clear record of valid consent for any type of data processing you perform, and that includes existing personal information that was added to your database before the GDPR came into existence.
- If older data records were not obtained through valid consent, those consumers will either need to renew their consent or their personal information will have to be deleted.
- Consent for any type of data collection - including most data collected by internet browser cookies - must be obtained before the data is collected from the user. This may call for a cookie banner on your website.
- Checkboxes for consent may not be pre-ticked. Consent must be given via a clear, affirmative action by the consumer, and never implied.
- Provide customers with a way to revoke their consent and inform them of how to do so.
If your methods for obtaining consent and processing data are not GDPR-compliant, processing or storing EU consumer data will not be considered lawful.
First, make sure the records you have on file were collected through valid consent methods. If not, a repermission campaign will be in order to update those records under a lawful legal basis. Then, you can begin the necessary infrastructure changes to ensure that personal information is collected through valid consent methods in the future.
To illustrate a GDPR-compliant consent method, check out this contact form from Sainsbury's:
Here's an example of a cookies consent dialogue from MailChimp:
When the user clicks "Cookie Settings" they're presented with options to accept or reject different kinds of cookies throughout the MailChimp website:
Both of these companies are obtaining clear consent from users by using checkboxes, notices and settings options, which works towards GDPR compliance.
Create Compliant Cookie Consent
3. Is your organization prepared to uphold EU consumer rights?
For example, the right to erasure may include erasing log files like IP addresses and geolocation data that are recorded as a visitor uses your website or service. Some log data would also need to be reproduced if a data subject requested a copy of the personal data you hold about them.
Depending on the infrastructure you use to collect and organize data records, fulfilling requests like these could be burdensome and time-consuming. Therefore, it's important that your data protection team carefully study the rights that the GDPR grants EU consumers, and then review whether or not your current data management system can easily support upholding those rights.
These are the rights of all EU residents as defined by the GDPR:
- The right to access: Consumers have the right to know if their data is being processed and must be provided with a complete copy of their personal data upon request.
- The right to rectification: If a consumer wishes to update or rectify outdated or inaccurate information that a data controller possesses, the data controller must make the necessary changes without undue delay.
- The right to erasure: Data subjects may request that the data controller erase all records of their personal data. Except for a few exceptions, data controllers must fulfill this request as quickly as possible.
- The right to restriction of processing: Individuals have the right to restrict or limit the processing of their data under certain circumstances.
- The right to data portability: Data subjects have the right to request that their data be transferred in a portable, digital format to themselves or to another data controller.
- Rights regarding automated decision-making and profiling: Data controllers may not use automated processing and profiling technology to make decisions about consumers if those decisions would have a legal or otherwise significant impact on their lives.
- The right to object: Consumers have the right to object to the processing of their personal data at any time. With a few exceptions, data controllers must immediately cease processing any data that the consumer objects to.
Notice how users are also informed of how to make direct requests in regard to their consumer rights. That last detail will be integral in order to fulfill this GDPR requirement.
You'll also need to know how to respond when users exercise their rights. For example, with the right of access you'll need to handle privacy access requests in a very specific way.
4. Are your data security measures up to standards?
Security is a big issue in the GDPR. Data protection is expected to be integrated into business practices by design and by default. In fact, GDPR Article 32 goes into even further detail regarding the security of personal data processing:
That's a lot of fine print, so here's a summarized version:
Taking into account the type and quantity of personal data processing your company performs, data security and protection measures must be appropriate to meet the risks associated with handling the data.
Where appropriate and possible, these measures should incorporate the following:
- Pseudonymisation and encryption of personal data
- Methods to maintain confidentiality and integrity of data processing systems and services
- A workable plan-of-action to recover access to personal information quickly in the event of system failures or technical problems
- An established process for testing and evaluating data protection measures to maintain their effectiveness
The level of security should reflect the level of risk, especially by means of accidental loss, destruction, or alteration of data, as well as unlawful data loss, destruction, disclosure, or access
It may be appropriate to use established codes of conduct established by EU supervisory or GDPR-approved compliance certification standards to demonstrate proper data protection protocols.
Third-party data processors may only access and process personal information under the specific instructions of the data controller.
Assessing the Risk
The GDPR makes it very clear that the level of data security must reflect the risk involved with the type and quantity of data processing that your company performs. Therefore, your first objective is to assess the risks involved with your data processing activities in order to determine the level and extent of data protection measures you will need to implement.
Some factors that would need to be considered in this assessment include:
- The quantity of data being processed: A company processing enormous quantities of personal data would require a higher level of data security.
- The categories of data that are being processed: Any processing of those categories that the GDPR defines as special or sensitive categories would be considered high-risk.
- Vulnerable data subjects: The personal data of vulnerable individuals, such as children or the mentally ill, presents a particularly high level of risk.
- The number of employees or third-parties that have access to personal data: If data processing requires that it be accessed by multiple employees, departments, or third-party data processors, it may present a higher risk.
- The purposes of the data processing: If data is being used for high-risk activities such as automated decision-making or profiling, it will require a higher standard of protection.
Of course, there are many more factors that would be considered during an in-depth risk assessment. If your staff does not have the experience or expertise to accurately evaluate data security risks and the resulting security measures required to meet them, it may be necessary to hire a data security consultant to complete this step for you.
Have a Data Protection Policy
Once you have established the level of data protection and security that will be necessary to mitigate the risks of data processing, you will need to make the necessary organizational and technical changes within your data handling framework. This may require new or updated software systems, pseudonymization tactics, security monitoring techniques, or any number of other data protection technologies based on the way your business processes data.
Again, if your team does not have the expertise to complete this process themselves, a data security consultant could be helpful.
Finally, when the appropriate security system is established, create a Data Protection Policy (DPP) that can be used to educate everyone in your organization about data security standards and expectations.
A Data Protection Policy is an effective way to demonstrate to both employees and supervisory authorities that your company is serious about data protection. Some of the subject matter that may be covered in a DPP includes:
- Data processing scope
- GDPR principles and requirements
- Bases of lawful data processing
- Roles and responsibilities of employees
- Fulfilling data subject rights
- Security measures and maintenance
- Record keeping
- Data security contacts
- Data breach notification policy
Take especial care with that last point. The way your staff handles a data breach could make the difference between a written warning or a massive fine from GDPR supervisory authorities.
Build a GDPR-compliant data breach notification policy and include it in your DPP. Make sure all employees are well-versed on the steps to take in the event of a data breach.
5. Can your business legally make international data transfers?
Business owners often assume that the rules regarding international data transfers only apply when sending personal data to a third country, but this is not the case.
If your company is based outside of the EU, you are technically performing an international data transfer every time you receive data from an EU resident on your website or mobile app.
In order to receive this data legally, first determine if your country has an 'adequacy decision' from EU authorities. If this is the case, then data transfers may proceed normally.
If not, check out some of these other options. You will need to implement one of the following safeguards:
- Join the EU-U.S. Privacy Shield and uphold its requirements.
- Use a legally binding contract between your company and the consumer when the data collection is fulfilling part of that contract.
- Use GDPR-certified safeguards such as binding corporate rules, standard data protection clauses, an approved code of conduct, or direct certification from a supervisory authority.
- Obtain explicit consent from the data subject after fully informing them of the potential risks involved with the data transfer.
If the data transfer is necessary to fulfill a legal obligation or at the request of an official public authority, like the government, you'll be able to use this as a reason for legally making an international data transfer.
Here is another example from Airbus. This one lists binding corporate rules as the method by which data is transferred internationally:
And here's an example of how explicit consent may be used to transfer EU consumer data, with this registration form from Virtuoso:
Here, the user has to give their explicit consent to the transfer of their information to the United States by checking a box before creating an account.
6. Are Data Processing Agreements established with data processors?
As a data controller that collects EU consumer data, you will be legally required to establish Data Processing Agreements (DPAs) with any third-party data processor before sharing customer data with them.
This type of agreement will serve the following purposes:
- To lay down specific expectations and stipulations regarding the confidentiality and security of personal information
- To dictate instructions as to how and why the third-party will process consumer data
- To establish the length of the working relationship and what will happen to the data after the contract ends
- To effectuate special instructions in the case of a data breach or data loss incident
- To fulfill the mandatory requirements of a DPA according to the GDPR
7. Does your team know how and when to perform a Data Protection Impact Assessment?
Under certain circumstances, it may be necessary to perform a Data Protection Impact Assessment (DPIA) before launching a new project that involves data processing. In order to comply with the GDPR and save time for your data processing team in the future, it would be advisable to formulate a DPIA template ahead of time.
A standard DPIA will need to cover the following topics, according to Article 35 of the GDPR:
- A detailed description of the project
- An evaluation of the necessity and scope of data processing activities
- An evaluation of potential risks to personal data security and protection
- A proposal of the methods that will be used to reduce or eliminate those risks
8. Do employees know who to go to with data processing questions and concerns?
Lastly, before you can hope to execute a GDPR compliance program throughout your organization, the roles and responsibilities of data handling should be firmly established.
If you do not intend to appoint a DPO or EU Representative, it will still be important to determine who will be in charge of data processing activities, data security, consumer privacy requests, and data breaches.
This will probably require a dedicated team of individuals who are well-trained in privacy, data security, and GDPR requirements. Make sure everyone in your organization understand the roles and responsibilities of your data processing team and who to go to with questions or concerns.
Once you have answered all of the questions in this GDPR Readiness Checklist, your organization will be better prepared to implement a GDPR preparation and compliance action plan, and you'll have a solid foundation to build your GDPR compliance upon.