Jocelyn S Paulley
Partner
Co-leader of Retail & Leisure Sector (UK)
Co-leader of Data Protection and Cyber Security sector (UK)
Guide
You must comply with the General Data Protection Regulation (GDPR) if you are an organisation located within the EU or if you are an organisation located outside of the EU offering goods or services to, or monitoring the behaviour of, EU data subjects. If an organisation breaches its obligations under the GDPR, it may be subject to an administrative fine of up to €20 million or 4% of its undertaking's worldwide. Take a look at our checklist to make sure you have completed all of the tasks needed in order to comply with the GDPR.
Notes:
No | Issue | Tasks |
---|---|---|
a | Record keeping (Article 30) | Controllers must maintain records of processing of the following:
|
b | Data Protection Officer? (Article 37) | Establish whether the company is required to have a DPO i.e. where one of the following applies:
If the company is not required to have a DPO, you may appoint a voluntary DPO. DPO contact details must be notified to the regulatory authority and published to the public. |
c | Data Retention (Article 5) | Data can only be retained for as long as necessary for the purpose for which it was obtained. The company needs to determine how long data can be kept before it is either deleted or anonymised. |
d | Privacy Impact Assessment (PIA) (Article 35) | Where The Company implements new technologies which will or could result in a high risk to the rights and freedoms of individuals, The Company has to carry out a PIA. This is an exercise to determine what impact the technology and processing will have on individuals and to ensure that it adheres to all aspects of GDPR. |
e | Employee training (Article 5) | Employees who handle personal data of other employees or customers must receive training in order to ensure that they handle it in accordance with GDPR. The company should keep a record of training and provide update and refresher training. |
f | Policies and procedures (Article 5) | In order to ensure that the company has considered its privacy obligations and implements the six data protection principles, the company must have and implement data protection policies. There is no set format to these and the exact list of policies that will be appropriate for each company will depend on what data it processes and why, but the following is a list of common policies:
|
No | Issue | Tasks |
---|---|---|
a | Are privacy notices given at the correct time to data subjects? | Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month. |
b | Do privacy notices contain all of the required information? | The required information is as follows:
|
c | Language/form of privacy notices | Is the language concise, transparent, intelligible and in an easily accessible form, using clear and plain language in particular for information addressed to a child? Consider whether the notice is delivered in a format that is user-friendly (i.e. font size and amount of text delivered on handheld devices) and the manner of delivery (i.e. 'just-in-time' notices as customer fill in a web-page or request certain functionality, or layered notices so that individuals can do a quick read of key points or the follow up in more detail if desired). |
No | Issue | Tasks |
---|---|---|
a | Has the company established the legal basis on which grounds it processes all the different (nonsensitive) personal data that it holds? (Article 6) | These are the grounds for processing lawfully:
|
b | Has the company established the legal basis on which grounds it processes all the special categories of personal data (previously known as sensitive personal data) that it holds? (Article 9) | The legal grounds are as follows:
|
c | Where the grounds for processing is consent (Article 7) |
|
d | Profiling (Article 22) |
|
e | Children (Article 8) | Does the company process personal data of children? If so, consider language of privacy notices and how to obtain valid consent. |
No | Issue | Tasks |
---|---|---|
a | Data Subject Access Right (Article 15) | Does The Company enable employees and customers to request their personal data processed by The Company? Are there personnel trained to respond to requests within the 1 month timeframe? |
b | Does the company have the processes or technology to enable data subjects to exercise their rights? (Articles 16-21) | Summary of data subject rights:
|
No | Issue | Tasks |
---|---|---|
a | Privacy by Design | Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. |
b | Privacy by Default | The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. |
No | Issue | Tasks |
---|---|---|
a | Does the company use third party data processors or group companies to process data on its behalf? (Article 28) | If so, there must be a written contract with each data processor which must include the minimum requirements from Article 28. The Company must also ensure that it has received 'sufficient guarantees' from its data processors that they can implement measures (technical and organisational) to meet the requirements of the GDPR. Before there are any approved codes of conduct or certifications that controllers can rely on, The Company will need to make its own enquiries through due diligence processes and perform its own assessment about whether its processors are complying with GDPR. |
b | Does the company, or does the company's processors, transfer data out of the EEA? (Articles 44-49) | If so, which of the approved transfer mechanisms are used? The approved transfer mechanisms are as follows:
|
No | Issue | Tasks |
---|---|---|
a | Are security measures appropriate for the personal data (Article 32) | Security has to be appropriate to the likely risks to individuals if data was lost, stolen or disclosed to unauthorised people. Organisations can take into account the state of art, costs and the nature, scope and context of processing in order to determine what is appropriate to the risks involved. Security covers organisational (i.e. people, processes) and technical measures. The following factors should be considered:
|
No | Issue | Tasks |
---|---|---|
a | Mandatory notification (Article 33) | Does the company have procedures in place to enable it to report a breach to the regulator within 72 hours of becoming aware of it? The breach must be investigated and details provided to the regulator about the nature of the breach, likely consequences and mitigations being taken to address it. This investigation may require assistance from processors, so operational processes should factor this in |
b | Notification to individuals affected (Article 34) | If the breach is likely to result in a high risk to the rights and freedoms of individuals, the company will need to notify the individuals affected. Note that if data is encrypted or otherwise unintelligible, then individuals will not need to be notified. |
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.