Since the GDPR launch, our team of business strategists began extensive research for a better understanding of this newly-launched data protection law. We also compiled a GDPR compliance checklist that will clear a lot of confusion and answer most critical questions about GDPR.
Our detailed GDPR compliance checklist will also help small businesses, established organizations and entrepreneurs take the right steps to become GDPR ready. Before anything else, let’s have a quick understanding of what is GDPR compliance.
What’s GDPR?
Basically, GDPR is a set of data protection rules designed to overhaul the existing laws that protect personal information of individuals using internet for a vast range of services.
The European Union’s General Data Protection Launch (GDPR) came into force on 25th May 2018 and has become mandatory for businesses in (European Union) EU that collect data from individuals. In short, GDPR has been put in place to check wrongful storage, usage, and sharing of personal information.
Now that we have cleared the concept of GDPR and its basic principles, let’s focus on the critical question:
Are you ready for GDPR?
Since GDPR is a complex 11-chapter document with 99 articles that cover a vast range of data protection rules, we have simplified the rules for easier understanding. This GDPR compliance checklist highlights the key points that you need to take care of systematically to become GDPR compliant. Here is the GDPR compliance checklist in the simplest form!
Determine whether your business needs GDPR compliance
The first step is to determine whether your business really needs to become GDPR compliant or not. Your business needs to comply with the GDPR if it collects individual data from European Union, distributes goods & services to individuals in EU, or monitors the behaviour of individuals in EU. If EU is not your business area, then you do not have to implement it.
Determine whether your business is a data processor or controller
Data processing businesses organize customer’s data on behalf of other companies. They are usually third party enterprises which deal with individual information whereas data controllers are businesses that ask customers for their personal information like Facebook. The purpose of collecting information could be to send newsletters, privacy policy updates etc. Under GDPR, there are different obligations for data processors and data controllers. So, take time to identify your data role.
Update your Business’s privacy policy
Under GDPR compliance, it’s mandatory for businesses to update their privacy policy and privacy notices with new terms and conditions. If your business’ privacy policy complies with Australian Privacy Policy Act 1988, then you need some modifications.
- Your business must start processing personal data in accordance with principles set out in the GDPR
- Persons over 16 years can consent to the processing of personal data, but those who are below that need consent of their parents or guardians.
- Individuals have the right to access their data, erase their data, request to restrict their data, and data portability.
The privacy policy updating is the major highlight in the GDPR and should top your list of GDPR compliance checklist.
Complete a DPIA (Data Protection Impact Assessment)
If your business processes data on a large-scale and possesses high-risk to the rights and freedom of individuals, then, it’s mandatory for your business to complete a DPIA (Data Protection Impact Assessment). A DPIA is required if your business:
- Processes systematic and extensive evaluation of the personal aspects of an individual, including profiling.
- Processes sensitive data on large-scale
- Monitors public areas on big-scale
For better understanding, we have included an example in this particular GPDR compliance checklist.
If a bank is screening its customer for credit reference database, then, it needs a DPIA since the bank is processing data on large-scale. However, a health practitioner doesn’t need a DPIA if processing personal data of patients.
Assign a European Union representative
You need to appoint an EU representative if your business falls under the scope of GDPR. However, there is no need to assign a different representative in every EU member state if your business includes distribution of goods and services in the EU or observation of the behaviour of individuals within the EU.
In other scenario, your business doesn’t need an EU representative if:
- Your business processes data which is unlikely to result in risk to the rights and freedom of individuals.
- Your business processes data occasionally (criminal, offense, and special data is exceptional)
- A business is a public authority.
Create privacy compliance manual & train your staff
It’s very essential for businesses to make privacy compliance manual and educate their staff about privacy guidelines and best practices. Employees are the ones who respond to individuals requesting access to their data or for exercising their rights. So, your employees should be aware of the individual rights and respond accordingly.
Note- Businesses that fall under the scope of GDPR but do not comply with it can face fines of up to 20 million euros or 4% of their total annual worldwide turnover, whichever is higher. Recently, technology giants like Google, Facebook, Instagram, and WhatsApp faced fines of up to USD 9.3 billion on the first day of the new privacy law.
Creating an easy to understand privacy compliance manual and providing complete training to your staff is important to ensure GDPR compliance.
This super-informative GDPR compliance checklist ends here! Do you need help with GDPR compliance and for making your business ready for the new privacy laws of EU? Get in touch with Team Doynt at hello@doynt.com for a free consultation session!