April 18, 2018
There are probably few companies—whether in the IT industry or outside of it—that could say confidently “Yes, we’re ready for the GDPR”. The new law is a hard nut to crack as it does not provide explicit instructions or procedures, and puts it on businesses to decide how to comply with its regulations. Since every company processes personal data in a different scope, for different purposes and using different means, there is no universal approach or a solution to have implemented.
But even though there’s no such thing as a universal GDPR checklist that could keep you on the safe side, there are some questions that every digital business should answer. And that’s exactly what I prepared for you—a list that will help you identify data flows within your company, be more GDPR-conscious, and understand where you may still need to take action. What might also help you for a start is the interview providing comprehensive answers to the most frequently asked questions about GDPR.
And even if you’ve already read the regulation five times, undertaken steps to prepare for it, and were told by your team or advisor that you’re all set… it never hurts to double check, right? Especially when there is a threat of fines of up to EUR 20.000.000 / 4% of your total worldwide annual turnover (but I’m sure I don’t have to remind you about those scary numbers).
So take a few minutes to answer diligently the questions from the list below. It should help you identify the weak points and can be a base to use talking to your team or your lawyer while creating your very own “to do” checklist.
You can also challenge your answers with my analysis and recommendations for each single question, that you can access by clicking the banner below.
Just so you know, I’ve created this list based on my 7 years’ long experience in IT law and personal data protection. We use it internally at Monterail while working on projects for our clients. Tracking the legislation process of the GDPR since 2012 (and participating in it) let me understand where exactly one should focus their efforts in order to provide compliance. And now you’ll know that too.
Here’s the question list. It’s a good idea to copy paste those to a doc, write down the answers, and share with your team.
Make one list for each purpose of processing, e.g. one to create user account and provide services, and another list for processing data for marketing purposes.
Are you a data controller or a processor—do you determine the purposes and means of the processing of personal data, or process personal data on behalf of another party?
Do you perform all the processing activities yourself or use third-party processing services, such as renting servers?
Who can access the personal data within your company? Are there different levels of access for different positions?
Do you have a system of logs that records who and when enters personal data you process, modifies, erases or accesses them?
Who do you get the data from—a data subject or from a third party?
Do you collect the personal data of children?
How do you collect data—by e-mail, electronic forms, activity tracking, etc.?
What categories of data do you collect?
Do you collect sensitive data—such as health records, data on racial or ethnic origin, religious or philosophical beliefs, etc.?
Is all the data you collect really necessary for the purpose of its processing?
How is the collected data used—what is the purpose of data processing?
What is the legal basis for your processing of data?
If you collect consents for data processing—is withdrawing consent as easy as giving it?
If you process the same data, with consent as legal basis, for multiple purposes—do you collect separate consent for each purpose?
How long will the data be stored for? What criteria are used to determine that period? Will data be erased manually or automatically?
Do you have policies in place that ensure that personal data are rectified or erased in case they are inaccurate, and erased as soon as they are not relevant for the purposes for which they are processed?
Do you collect data for statistical purposes in personal or anonymized form?
Do you inform the data subject about your identity, contact details, and data subject rights? When and how?
Will data be shared with any third parties, including within your capital group? When, how, on what legal basis?
Do you transfer data to countries outside the EU?
How can a user request access to their data, including receiving a copy of their personal data undergoing processing? Will this process be conducted manually or automatically? In what format will the copy be provided?
How will the right to data portability be handled? In what format will the data be provided to the data subject or to another controller at the data subject’s request?
How can a user request rectification of their data and how is that request handled?
Have you verified how exercising the right to restrict and right to object will affect your processes, and whether you are able to comply with obligations they entail?
How can a user request erasure of their personal data? If you’ve made that data public, how do you inform other controllers that copies of the data, replications, and any links to it have to be erased?
Does processing of personal data include making decisions based solely on automated processing, including profiling, which produces legal effects or effects affecting data subjects in a similarly significant manner?
Do you have a system in place that enables you to detect data protection breaches and a procedure on how to react in case of a breach?
Do you have a data protection officer in your company or know whether you need one?
Have you verified whether there are processes in your company that require conducting a data protection impact assessment?
Have you verified what the scope of obligatory documentation you need to prepare is and whether your staff is trained for the GDPR challenges?
If you’d like to keep those questions in a PDF file together with my comments, you can download your GDPR question list here.