GDPR Compliance Requirements Checklist and Plan

The General Data Protection Regulation (GDPR) has been active since 25 May 2018. It affects each and every business that works with information about individuals in the European Union (EU). There are a lot of things that a company needs to check or create to fully comply with GDPR, but there are some key things that everyone should have already started with.

The first step is to determine if your company actually falls under GDPR’s jurisdiction. There are three general questions to determine if your company falls under GDPR’s regulations:

• If your business collects data and monitors the behavior of someone inside EU;
• If your business collects data and is established on the EU territory;
• If your business collects data and is supplying services and/or various products to someone inside the EU.

If your organization falls within one of these categories, there are a number of things you’re supposed to do to get access to all of the GDPR compliance tools. To simplify the process, there are different GDPR requirements checklists, plans and roadmaps available to you, each with their own benefits and complexity. Here is the difference between two of the most popular ones: The less complicated “Simple EU GDPR compliance checklist” and a more complex “Group-based EU GDPR compliance checklist”.

It is worth noting that these GDPR compliance plans aren’t meant to replace seeking proper legal advice. We strongly advise you to contact a specialized attorney that can help you with adapting to GDPR regulations for your specific business if you have any questions or concerns.

Simple GDPR compliance requirements checklist

This checklist is lighter and easier to get through, but it may overlook steps for some of the more specialized businesses. It should be seen as general recommendations or guidelines for getting the basics in place for any business. There are nine main steps in this GDPR compliance checklist:

1. Forming accountability and getting support from the board of directors.
   GDPR compliance as a process often means additional investments and extensive support from the company’s owners, that’s why the first step here is about getting the board of directors to understand the importance of the GDPR compliance and the need for the resources allocation to create and maintain necessary compliance levels.
2. Creating a plan of your future GDPR compliance project and defining its scope.
   An obvious second step of the GDPR compliance plan after getting the board’s support is to figure out what parts of the company’s business fall under GDPR’s regulations. This includes appointing several new positions, including a project manager and a data protection officer, if you need them. At the same time you’ll have to find specific standards that should help you with understanding the basis of the security framework you’ll need to set up (international security standard ISO 27001, other standards like ISO 27701, BS 10012, etc.), assess the competence of your current data protection measures, and so on.
3. Performing a data audit and defining everything about your data.
   The third step of this GDPR compliance plan is all about assessing the extent and the location of your data inside the business by creating a map of your data flows. Use this same map to figure out possible risks for your data processing efforts and start to create records of data processing activities, as one of the GDPR articles requires.
4. Assessing your risks.
   Since GDPR itself encourages a risk-based approach to data protection, risk assessments are often a big part of almost any GDPR compliance checklist. Performing risk assessments allows organizations to perform a comparable level of protective measures for their risk management efforts after they’ve analyzed all of the GDPR compliance reports. This step can be split into four smaller steps: risk assessment plan establishment, risk identification, risk evaluation, and risk control measures development.
5. Undertaking a thorough gap analysis.
   A gap analysis is another important part of any GDPR compliance plan. This involves a knowledgeable specialist assessing your entire system to find areas that could possibly have GDPR compliance issues. This kind of analysis allows businesses to see the list of their vulnerable areas, compliance-wise, and also allows them to decide the most important gaps that need immediate remediation.
6. Bringing existing policies in line and creating the missing ones.
   A popular recommendation is to start working on your policies and procedures right after performing a thorough gap analysis. You should not only update your existing policies to fall in line with GDPR requirements, but also create new policies to ensure the fulfilment of your legal obligations. This often includes contract reviews, DSAR (Data subject access request) handling, reviewing data transfer mechanisms, and more.
7. Creating a defined multi-layered personal data protection system.
   One more part of the GDPR compliance roadmap requires companies to create appropriate personal data processing measures. They typically include information security policy, basic technical controls over the data, various GDPR compliance encryption types when necessary, as well as data breach detection/notification/investigation systems and policies.
8. Making sure that your employees are educated and aware about GDPR and possible ramifications.
   Staff education and raising awareness is necessary for any GDPR compliant business. Every employee should be aware and knowledgeable enough to properly follow all of the necessary procedures and regulations to prevent most of the GDPR compliance issues in the first place.
9. Regularly look over compliance results in general and check up on specific fields from time to time.
   You can’t just set everything up for GDPR and forget about it. Most of the time GDPR compliance roadmap and the compliance itself is an ongoing process that requires periodic check-ups and audits to make sure everything is operating properly, from record holding to security procedures.

Now let’s get into the second more detailed checklist, that separates recommendations into groups and is more suitable for data controllers. ‘Data controllers’ are the companies that ask any EU individual to provide their personal information for almost any purpose, even as little as for a newsletter subscription.

Grouped GDPR compliance checklist plan

This GDPR compliance plan can be split into four main groups: transparency, security, governance and privacy.

1. Transparency

• Your data processing activities should have a legal justification according to the GDPR’s conditions. There are six main conditions from Article 6 and other special categories in Articles 7-11, and there’s also extra obligations possible based on the lawful basis that you’re choosing.
• Your privacy policy should clearly specify what data you’re collecting and for what reason, who has access to this data, and what are the measures that you’re taking to make sure that data is safe and protected. It should be presented as clear as possible to leave little to no room for speculation and misunderstanding.
• If your organization has over 250 employees and/or conducts data processing with an increased risk on a regular basis – you have to keep a fresh and detailed activity list about said data and should be ready to present this list to the regulation institution on a moment’s notice. For companies with less than 250 employees this demand turns into a recommendation that helps with overall compliance. Your activity list should have several different categories like processing purpose, data type, access level for this data, a list of third-party personnel that has access to this data, what are the protection measures about this data and so on.

2. Security

• Knowing the right time and the mechanisms in place to perform a data protection impact assessment. DPIA is all about understanding how your business can put customers’ data at risk, and how you can minimize those risks. A general recommendation is to perform a DPIA each time you’re planning to perform some way of processing personal data.
• GDPR’s recommendation is to use encryption and/or pseudonyms whenever feasible, and a lot of business-related tools nowadays already have various GDPR compliance encryption measures for different data types, not just cloud storage, but emails, notes, and more.
• After the exposure of personal data as a result of a data breach (which is technically a GDPR compliance breach, as well) you have 72 hours to notify the authorities that supervise GDPR compliance in your jurisdiction. It’s also important to quickly notify all of the affected individuals about the GDPR compliance breach, unless the data in question is unlikely to jeopardize them in the first place (For example, if the data is encrypted).
• It’s not just up to the technical appliances to provide data protection, but up to the employees, as well. A well-defined security policy about making your team more knowledgeable in terms of data security would go a long way to improving your overall security results. The bare bones of knowledge are topics like email security, 2FA, device encryption, passwords and VPNs. For personnel that work directly with GDPR compliance reports and GDPR-compliant data – these requirements should be higher.
• In accordance to the “data protection by design and by default” regulation, your data protection efforts shouldn’t just focus on technical measures, but on organizational ones as well. In other words, you have to keep data protection in mind any time you’re interacting with other individuals’ personal data in any way.

3. Governance

• There are some circumstances that specifically require a data protection officer (DPO) to be appointed within your organization, but it’s also good to have one in any event. The main purpose of a DPO is to perform various GDPR-related activities, like compliance, data protection risks, data protection impact assessments and so on.
• Any and all third parties that process personal data on your behalf should have a data processing agreement signed between you and them. This includes analytical software, cloud servers and a myriad of other examples. The majority of companies and services already have a basic data processing agreement on their websites.
• If your organization is based outside of the EU, you’ll need to have a representative that would be communicating with data protection authorities on your behalf. There’s also some types of companies that do not require such a representative, like public bodies.
• One more delegation is about GDPR compliance in general, and it’s not necessarily a data protection officer. Such a person should have the ability to watch over and evaluate data protection policies of the company and the way they are implemented.

4. Privacy

• Your customers should be able to request the restriction or termination of you processing their data for a number of different reasons, However, generally it’s done in cases when the lawfulness of the processing is questionable. You’ll have a month to comply with such a request, if it happens. The processing restriction doesn’t mean that you still can’t keep the data in question.
• The matter of a deletion request is an entirely different question, each individual can request that, and there’s only five possible reasons why you can possibly deny that request (freedom of speech and legal compliance is one of them). It’s also quite normal to try and verify the identity of the person before honoring the request.
• People should have the ability to see what kind of personal data you’ve collected about them and how that data is being used. They can also request the period of time that you’ll be keeping that data and the reason for that exact amount of time. Normally, you’re obliged to send the first copy of the data for free, but the subsequent ones can cost a reasonable fee.
• The information that you’re sending the customers personal data to them should be in an easily readable form (most often it’s a spreadsheet) so that they can turn over that data to any third party of their choosing.
• Your customers should also have the ability to correct inaccurate or out-of-date data about them, and you should comply with their correction within a month (after you’ve confirmed their identity).

As you can see, this list is far more specific and is often targeted at companies that have already implemented the basics for GDPR and are missing just a few items. The first checklist is targeted at those companies just starting out with their GDPR journey and wanting to be GDPR compliant in the near future.