GDPR compliance checklist
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 across all European Union markets. This checklist summarises the steps your business should take to comply with the GDPR.
1. Carry out an information audit
An information audit can help you identify areas that could cause compliance problems under the GDPR. It's important to look at what information you collect, store or process and determine:
- why you are processing it
- how did you get it
- what is the purpose of processing
- how long do you plan to keep it
- how secure is it
- who you share it with, or might share it with, and how
An inventory of all personal data you hold will help you comply with the GDPR's accountability principle, which requires organisations to demonstrate how they comply with the data protection principles when carryout out their business.
2. Determine the legal basis for processing personal data
For processing to be lawful under the GDPR, you must identify a legal basis before you can process personal data. You also have to document it accordingly.
Under the previous data protection legislation, legal basis were often referred to as 'conditions for processing'. However, under the GDPR, legal basis carry greater practical implications, due to their effect on individuals' rights. For example, if you rely on someone's consent to process their data, they will generally have stronger rights, for example to have their data deleted.
There are six legal basis for processing data under the GDPR, including:
- consent of the individual
- contractual necessity
- compliance with legal obligations
- vital interests of the data subjects
- public interest
- legitimate interests
See more on the GDPR provisions relating to lawful processing.
3. Review your use of consent
The GDPR sets a high standard for consent. Like the preceding data protection legislation, it has references to both 'consent' and 'explicit consent'. Both forms of consent under GDPR have to be:
- freely given
- an unambiguous indication of the individual's wishes
Under GDPR, consent also requires some form of clear affirmative action. This means that you cannot presume consent from silence, pre-ticked boxes or inactivity.
You must be able to demonstrate that consent has been given. This generally means that you will have to keep some form of record of how and when you have sought and received consent.
If you rely on an individual's consent to process their data, take steps to ensure that your processes meet the enhanced standards needed under the GDPR. Otherwise, you may want to find an alternative to using consent.
See the Information Commissioner's Office (ICO) GDPR consent guidance.
4. Review and update your privacy notices and policies
Under GDPR, you must provide privacy information in clear and plain language. Your policies should be transparent and easily accessible. You must include in your privacy notices certain additional information, such as:
- the legal basis for processing the data
- data retention periods
- rights of individuals to complain about the manner in which you handle their data
- whether data will be subject to automated decision-making
Find out more in the ICO's guidance on privacy notices, transparency and control.
5. Keep in mind individuals' rights
The GDPR introduces greater rights for data subjects. Check your procedures and systems to ensure they align to the new or enhanced rights under the General Data Protection Regulation, including:
- subject access right (SAR)
- right to have inaccuracies corrected
- right to have information erased
- right to prevent direct marketing
- right to prevent automated decision-marking and profiling
- right to data portability
Prepare for the data subjects to exercise their rights and put in place procedures that will enable you to deal with possible scenarios, eg someone asking you to delete their personal data, or provide their data electronically or in commonly used formats.
See more on individuals' rights under the GDPR.
6. Prepare for new rules and timescales for SAR
The rules for dealing with subject access requests changed under the General Data Protection Regulation. In most cases, you cannot charge for processing an access request, unless you can demonstrate that the cost to respond will be excessive. From 25 May 2018, you also have to respond to an access request within a month, rather than the 40 days previously allowed under the Data Protection Act.
You may have some grounds for refusing to grant an access request. However, you must have clear refusal policies and procedures in place, and be able to demonstrate why the request meets these criteria.
You also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable.
Find out more about the right of access under the GDPR.
7. Prepare for new rules regarding children's personal data
The GDPR has new provisions that aim to enhance the protection of children's personal data. These include:
- clear privacy notices for children - where services are offered directly to a child
- parent/guardian consent - where online services (eg social networking) are targeted at children
If your organisation collects personal data of children, you should think about putting systems in place to verify individuals' ages and to gather parental or guardian consent for the data processing activity.
8. Prepare for data security breaches
The General Data Protection Regulation introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases to the individuals affected. If you experience a data breach, you must notify the ICO if the breach is likely to cause significant detrimental effect on individuals, eg:
- result in discrimination or damage to reputation
- cause financial loss, identity theft or breach of confidentiality
You should put in place clear policies and procedures to ensure that you can detect quickly any data breach, react appropriately and notify in time where required. Find out more about the breach notification duties.
9. Prepare for 'privacy by design' and privacy impact assessments
Under GDPR, you must implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Find out more about the 'privacy by design' approach to data protection.
You must ensure that you have clear policies in place to prove that you meet the required data protection standards under the GDPR. You can follow best practices for accountability by establishing a culture of:
- monitoring, reviewing and assessing your data processing procedures
- minimise data processing and retention of data
- building in data protection safeguards, including regular staff training
As an integral part of this 'privacy by design' strategy, you may need to carry out a privacy impact assessment. The assessment will help you to identify and reduce the privacy risks of your projects.
Under GDPR, you need to carry out a privacy impact assessment:
- when using new technologies
- if the processing is likely to put at risk the rights and freedoms of individuals
Find out more about privacy impact assessments.
10. Appoint a data protection officer (DPO)
The GDPR requires some organisations to designate a DPO. For example, public authorities or those organisations that regularly and systematically monitor individuals on a large scale.
You may appoint a single DPO to act for a group of companies, taking into account their structure and size. An organisation can also designate a DPO on a voluntary basis, however the same requirements will apply to his or her designation, position and tasks as if the designation had been mandatory.
The DPO's role is to facilitate compliance with the provisions of the GDPR within an organisation. Find out more about the role of data protection officers.
11. Know the rules on international data transfers
The General Data Protection Regulation imposes restrictions on the transfer of personal data outside the European Union. It does so to ensure that the level of protection of individuals have under the GDPR is not undermined.
Under GDPR, you may be able to transfer personal data:
- subject to appropriate safeguards
- on the basis of the ICO's decision regarding levels of protection in specific territories
Read more about the transfer of data under the GDPR rules.
Note that if your business is not in the EU, you may still need to comply with the regulation if you collect, share, transfer or use personal data of EU citizens.