Since each company is different and the GDPR uses a risk-based approach to data protection, businesses should evaluate their own data collection and processing procedures, and pursue their own legal advice to guarantee that their company procedures conform with the GDPR.
If your organisation stores or process any personal information, it is considered to be a data controller. If your organisation stores or process private information on behalf of another organisation, it is regarded to be a data processor. It's possible that your organisation has both functions.
In order to comprehend this GDPR checklist for businesses, it is also helpful to know some of the terminology and fundamental composition of the law. The following checklist is far from a legally exhaustive paper, it simply seeks to assist you.
Disclaimer: Please bear in mind that this post is not legal advice and was created as a guideline basis only. We recommend that you consult a lawyer specialising in GDPR who can offer legal advice according to your specific business.
YOUR DATA
Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it
This is a list of the customer information stored by your organisation (e.g. Name, social security number, address etc.). For each type, a source should be documented, the parties this information is shared with, the purpose of the information and the duration for which the company will keep this information.
Your company has a list of places where it keeps personal information and the ways data flows between them
This could be a list of databases on your servers, but it could also include offline data (e.g. paper work).
Your company has an accessible privacy policy that clearly outlines all processes related to personal data collection
This page should ideally be on your homepage or visible through a pop up banner. This page should include information about all processes related to the handling of personal information. This document should include the types of personal information the company stores, and where it stores them.
Your privacy policy should include a lawful basis to explain why the company needs to process personal information
There should be a valid reason for data processing, e.g. the fulfilment of a contract, or an offer fulfilment.
ACCOUNTABILITY & MANAGEMENT
Your company should appoint a Data Protection Officer (DPO)
Your business requires a DPO in three conditions:
(1) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(2) the core activities of the business consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or
(3) the core activities of the business consist of processing on a large scale special categories of data (sensitive data) pursuant to Article 9 and personal data relating to criminal convictions or offenses pursuant to Article 10.
If a DPO is required, the DPO should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.
Create awareness among decision makers about GDPR guidelines
Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.
Make sure your technical security is up to date
You must ensure proper security of customers' personal data using appropriate technical and organisational measures.
Train your staff to be aware of data protection
A lot of security vulnerabilities involve human errors e.g. cooperation of an unwitting person with access to customer data. Make sure all your employees are aware of these risks and handle customer data with utmost caution.
You have a list of sub-processors and your privacy policy declares the use of a sub-processor
You should inform your customers if you use of any sub-processors. They should be able give consent by accepting your privacy policy.
If your business operates outside the EU, you have appointed a representative within the EU
If your business is outside of the EU and you collect data from EU citizens, you should assign a representative in one of the member states. This specialist should handle all issues related to data processing. In particular, a local authority should be able to contact this representative.
You report data breaches involving personal data to the local authority and to the effected data subjects
In case of a personal data breaches report the local authority within 72 hours. You should report what data has been lost, what the consequences are and what countermeasures you have taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.
There is a contract in place with any data processors that you share data with
This contract should outline explicit instructions for the storage or processing of data by the processor. The contract should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
NEW RIGHTS
Your customers should be able to request their personal information stored by your business
You should provide contact details or a form which can help your customers request their personal data easily.
Your customers should be able to update their own personal information to keep it up to date
They should be able to easily access and edit their personal data to make changes.
You should automatically delete data that your business no longer needs
You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed. Or remove email addresses that have been inactive for a certain period of time.
Your customers should be able to request deletion of their personal data
Your customers should be able to contact your organisation and request deletion of their personal data.
Your customers should be able to request that you stop processing their data
You should provide means to your customer to request your organisation to stop processing of their personal data.
Your customers should be able to request that their data be delivered to themselves or a 3rd party
Your organisation should have means in place to allow your customers to request transfer of their data to themselves or to a 3rd party.
Your customers should be able to profiling or automated decision making based on their personal data
This is only applicable if your company does profiling or any other automated decision making. E.g. Email marketing or retargeting campaigns
CONSENT
Where processing is based on consent, such consent must be freely given, specific, informed, and revocable
If your website collects personal information in some way, you should have an easily visible link to your privacy policy and confirm that the user accepts your terms and conditions. Consent requires an affirmative action, so pre-ticked boxes are not permitted.
Your privacy policy should be written in clear and understandable terms
It should be written in clear and simple terms and not conceal it's intent in any way. Failing to do so could void the agreement entirely. When providing services to children, the privacy policy should be easy enough for them to understand.
It should be as easy for your customers to withdraw consent as it was to give it in the first place
If you do not already have a process defined for this, we've made an easy online form below.
If you process children's personal data, verify their age and ask consent from their legal guardian
For children younger than 16, you need to make sure a legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the legal guardian (and not by the child).
When you update your privacy policy, you inform existing customers
for example, by emailing upcoming changes of your privacy policy. Your communication should explain in a simple way what has changed.
FOLLOW-UP
You should regularly review policies for any changes, effectiveness, handling of data and changes to the state of affairs of other countries your data flows to
You should follow up on best practices and changes to the policies in your local environment.
SPECIAL CASES
Your business understands when you must conduct a DPIA for high-risk processing of sensitive data.
This is only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases.
You should only transfer data outside of the EU to countries that offer an appropriate level of protection
You should also disclose these cross-border data flows in your privacy policy.
We hope that you found this GDPR checklist for businesses helpful.
Learn more about the cost of losing your business data