GDPR Your 11 Point Checklist

1.   Awareness

Ensure that key personnel within your organisation are aware of the GDPR, what it means for the organisation. Time to review your risk management processes and identify any challenges that arise.

2.   Accountability

One of the principles of GDPR is accountability. As an organisation you must be clear on the personal data that you hold. You must be clear on, why you hold it, Do you still need it? How long have we had it? How safe is the data? GDPR is about making the organisation accountable for the personal data that they hold.

3.   Data Privacy Notices

Data privacy notices must be reviewed and ensure that they are fit for purpose and GDPR compliant. You MUST tell individuals how you intend to use their data.

4.   Privacy Rights of Individuals & SARs (Subject Access Requests)

Your policies and procedures need to cover ALL of the rights that individuals are now entitled to. This must include, deletion, portability, corrections, the right to be forgotten. You must also have a procedure to allow a Subject Access Request (SAR). Under GDPR any individual can ask to have access to their data, they can check it, port it, ask for it be deleted. You must be able to access this data easily and work within the 1 month time scale.

5.   What is the legal basis for processing?

What is your legal basis for processing, are you relying on consent?

6.   Consent

For some companies this will be a huge issue! How is your database, can you say that it is 100% compliant for GDPR? Can you honestly that each and every one of the contacts on your database agreed to be there, if that is the case then congratulations, however if you are one of the many that doesn’t have a 100% opted in database then now is the time to look closely at how you obtain and record consent. Look at it as an opportunity to reconnect!

7.   DPIA (Data Privacy Impact Assessment)

GDPR puts privacy at the heart of data protection regulations. Data privacy, ‘privacy be design’ needs to be your first thought when embarking on a new project.

8.   DPO (Data Protection Officer)

Do you have one? Do you need one? Do you have someone in house who can act as your DPO? If so do they need assistance? Or is it a function that would be happy to outsource?

9.   Data Breach

The unthinkable has happened and a data breach has happened. Do you have the processes and procedures in place to detect, investigate and report to authorities and the individuals concerned within the new 72 hour window?

10. Data belonging to Children

Do you process data from children? If so you must have the proper mechanisms and processes in place to be able to verify age and gather parental consent.

11. International Organisations

Does your organisation operate in more than one country? If so you need to decide where your data ‘capital’ is, this will help you identify where your main data establishment is located, this will allow you to identify your lead supervisory authority (LSA).