Checklist for tasks needed in order to comply with GDPR

02 April 2018

You must comply with the General Data Protection Regulation (GDPR) if you are an organisation located within the EU or if you are an organisation located outside of the EU offering goods or services to, or monitoring the behaviour of, EU data subjects. If an organisation breaches its obligations under the GDPR, it may be subject to an administrative fine of up to €20 million or 4% of its undertaking's worldwide. Take a look at our checklist to make sure you have completed all of the tasks needed in order to comply with the GDPR.



Notes:

  • We recommend that any business looking to comply with the GDPR first carries out a data audit in order to establish factual context such as: what data the company holds, where it is held, third parties who have access, retention issues, security etc.
  • The checklist focuses on factors required for legal compliance, rather than the practical issue of how to achieve compliance based on the company's current practices
  • This checklist presumes that a company processes both employee and customer personal data, including special categories of personal data
  • This checklist does not include any industry specific issues or considerations
  • The checklist is not an explanation of the law or the extent of obligations on either controllers or processors under GDPR. There is more detail behind each issue noted below. The full obligations contained in the GDPR should be consulted to check compliance against each issue.

GDPR compliance toolkit

1. Corporate Governance

No Issue Tasks

a

Record keeping (Article 30)

Controllers must maintain records of processing of the following:

  1. the name and contact details of the controller and the data protection officer (DPO) (if one is appointed);
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data;
  4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  5. transfers of personal data to a third country or an international organisation, including the name of the country or international organisation and, the documentation of the safeguards for the transfer (i.e. based on consent, necessary to perform a contract, public interest);
  6. where possible, the envisaged time limits for erasure of the different categories of data;
  7. where possible, a general description of the technical and organisational security measures.

b

Data Protection Officer? (Article 37)

Establish whether the company is required to have a DPO i.e. where one of the following applies:

  1. processing is carried out by a public body, except for courts;
  2. core activities consist of monitoring operations which by virtue of their nature, scope or purposes require regular and systematic monitoring of data subjects on a large scale; or
  3. core activities consist of processing on a large scope of special categories of personal data and data relating to criminal convictions and offences.

If the company is not required to have a DPO, you may appoint a voluntary DPO.

DPO contact details must be notified to the regulatory authority and published to the public.

c

Data Retention (Article 5)

Data can only be retained for as long as necessary for the purpose for which it was obtained. The company needs to determine how long data can be kept before it is either deleted or anonymised.

d

Privacy Impact Assessment (PIA) (Article 35)

Where The Company implements new technologies which will or could result in a high risk to the rights and freedoms of individuals, The Company has to carry out a PIA.

This is an exercise to determine what impact the technology and processing will have on individuals and to ensure that it adheres to all aspects of GDPR.

e

Employee training (Article 5)

Employees who handle personal data of other employees or customers must receive training in order to ensure that they handle it in accordance with GDPR.

The company should keep a record of training and provide update and refresher training.

f

Policies and procedures (Article 5)

In order to ensure that the company has considered its privacy obligations and implements the six data protection principles, the company must have and implement data protection policies.

There is no set format to these and the exact list of policies that will be appropriate for each company will depend on what data it processes and why, but the following is a list of common policies:

  • General Data Protection Policy
  • Data Subject Access Rights Procedure
  • Data Retention Policy
  • Data Breach Escalation and Checklist
  • Employee Privacy Policy and Notice
  • Processing customer data policy
  • Guidance on privacy notices

2. Privacy notices (Arts 12-14)

No Issue Tasks

a

Are privacy notices given at the correct time to data subjects?

Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month.

b

Do privacy notices contain all of the required information?

The required information is as follows:

  1. the identity and the contact details of the controller and data protection officer (where applicable);
  2. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, including the legitimate interests pursued by the controller;
  3. the recipients or categories of recipients of the personal data, if any;
  4. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and how the transfer ensure adequacy of protection (i.e. which of the approved transfer mechanisms are used)
  5. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  6. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  7. where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  8. the right to lodge a complaint with a supervisory authority;
  9. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  10. the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

c

Language/form of privacy notices

Is the language concise, transparent, intelligible and in an easily accessible form, using clear and plain language in particular for information addressed to a child?

Consider whether the notice is delivered in a format that is user-friendly (i.e. font size and amount of text delivered on handheld devices) and the manner of delivery (i.e. 'just-in-time' notices as customer fill in a web-page or request certain functionality, or layered notices so that individuals can do a quick read of key points or the follow up in more detail if desired).

3. Lawfulness of processing

No Issue Tasks

a

Has the company established the legal basis on which grounds it processes all the different (nonsensitive) personal data that it holds? (Article 6)

These are the grounds for processing lawfully:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. (processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

b

Has the company established the legal basis on which grounds it processes all the special categories of personal data (previously known as sensitive personal data) that it holds? (Article 9)

The legal grounds are as follows:

  1. the data subject has given explicit consent;
  2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. processing relates to personal data which are manifestly made public by the data subject;
  5. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  6. processing is necessary for reasons of substantial public interest;
  7. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
  8. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care;
  9. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

c

Where the grounds for processing is consent (Article 7)

  1. Was the consent freely given?
  2. Is the consent presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language?
  3. Can the company demonstrate that the data subject gave their consent?
  4. Does the data subject have the ability to withdraw their consent?

d

Profiling (Article 22)

  1. Does The Company carry out profiling on employees or customers?
  2. If so, does this profiling result in making a decision about the individual which would have a significant legal effect or similar on that individual e.g. refusal of credit or refused for an interview?
  3. If the answer to (b) is yes, has The Company got the consent of the individuals to this profiling?

e

Children (Article 8)

Does the company process personal data of children? If so, consider language of privacy notices and how to obtain valid consent.

4. Data Subject Rights

No Issue Tasks

a

Data Subject Access Right (Article 15)

Does The Company enable employees and customers to request their personal data processed by The Company? Are there personnel trained to respond to requests within the 1 month timeframe?

b

Does the company have the processes or technology to enable data subjects to exercise their rights? (Articles 16-21)

Summary of data subject rights:

  1. Right to rectification of inaccurate data.
  2. Right to erasure ('right to be forgotten') - where data is no longer necessary in relation to the purpose for which they were collected, the data subject withdraws consent, objects to the processing, data is processed unlawfully, for compliance with a law or the data concerns a child and was processed by a website. The company needs to be able to identify other data controllers to whom it has disclosed data to tell them that the individual wants to be forgotten (subject to cost and available technology).
  3. Right to restriction of processing to verify accuracy of data, where processing is unlawful but the individual does not want erasure, the controller no longer needs the data but the individual requires the controller to keep the data for defence of legal claims or pending verification of whether the legitimate interests of the controller in processing override those of the individual.
  4. Right to data portability - controllers have to give data subjects their data in a format which the individual can take to another controller.
  5. Right to object where processing is based on public interests or legitimate interests or for direct marketing.

5. Privacy by Design and Default (Article 25)

No Issue Tasks

a

Privacy by Design

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

b

Privacy by Default

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

6. Data processors and international transfers

No Issue Tasks

a

Does the company use third party data processors or group companies to process data on its behalf? (Article 28)

If so, there must be a written contract with each data processor which must include the minimum requirements from Article 28.

The Company must also ensure that it has received 'sufficient guarantees' from its data processors that they can implement measures (technical and organisational) to meet the requirements of the GDPR. Before there are any approved codes of conduct or certifications that controllers can rely on, The Company will need to make its own enquiries through due diligence processes and perform its own assessment about whether its processors are complying with GDPR.

b

Does the company, or does the company's processors, transfer data out of the EEA? (Articles 44-49)

If so, which of the approved transfer mechanisms are used?

The approved transfer mechanisms are as follows:

  1. a country which has a finding of adequacy from the European Commission.
  2. If it is within the The Company group, are binding corporate rules in place?
  3. Standard contractual clauses as approved by the European Commission.
  4. If the transfer is to the US, on the basis of the Privacy Shield.
  5. With the consent of the data subject.
  6. The transfer is necessary to carry out a contract with the data subject.
  7. The transfer is in the public interest.
  8. The transfer is necessary to establish, exercise or defend legal rights.
  9. The transfer is necessary to protect the vital interests of a person where the data subject is physically or legally incapable of giving consent.

7. Security

No Issue Tasks

a

Are security measures appropriate for the personal data (Article 32)

Security has to be appropriate to the likely risks to individuals if data was lost, stolen or disclosed to unauthorised people.

Organisations can take into account the state of art, costs and the nature, scope and context of processing in order to determine what is appropriate to the risks involved.

Security covers organisational (i.e. people, processes) and technical measures.

The following factors should be considered:

  • Pseudonymisation
  • Encryption
  • Ensuring ongoing integrity, confidentiality, availability and resiliency
  • The ability to restore in a timely manner
  • Processes for testing security

8. Breach notification

No Issue Tasks

a

Mandatory notification (Article 33)

Does the company have procedures in place to enable it to report a breach to the regulator within 72 hours of becoming aware of it?

The breach must be investigated and details provided to the regulator about the nature of the breach, likely consequences and mitigations being taken to address it.

This investigation may require assistance from processors, so operational processes should factor this in

b

Notification to individuals affected (Article 34)

If the breach is likely to result in a high risk to the rights and freedoms of individuals, the company will need to notify the individuals affected. Note that if data is encrypted or otherwise unintelligible, then individuals will not need to be notified.


NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.