Articles

GDPR Compliance Checklist: 8 Steps You Need to Complete

Written by Matt Davis, CIPM (IAPP) | September 6, 2023

GDPR compliance can be tricky.  

Even if you summon the willpower to read through the law’s text, it can be tough to know where to start. As an alternative to pouring through the GDPR’s legalese, one way to establish a foundation is to follow a GDPR compliance checklist. In this article, we will delve into the basics of GDPR, explore its key principles, and outline the essential steps to achieve compliance. 

Understanding the Basics of GDPR 

Before delving into the checklist, let's first understand what the GDPR is all about. 

What Is the GDPR? 

The GDPR is a comprehensive set of regulations formulated by the EU to protect the privacy and personal data of its citizens. It was implemented on May 25, 2018, and applies to any organization that processes the personal data of EU residents, regardless of its location.   

The primary objective of GDPR is to give individuals greater control over their personal data and to harmonize data protection laws across the EU member states. By doing so, it aims to enhance the protection of individuals' privacy rights. 

Under GDPR, personal data is defined as any information relating to an identified or identifiable natural person. This includes not only obvious identifiers such as names and addresses but also less obvious ones like IP addresses. It covers a wide range of personal data, from basic contact information to sensitive data such as health records and biometric data. 

Why Is the GDPR Important? 

Firstly, the GDPR empowers individuals by giving them more control over their personal data. It gives EU citizens certain rights—known as data subject rights—such as the right to access, rectify, and erase personal data, as well as the right to object to certain types of processing. We’ll get into more detail on data subject rights later on in the GDPR checklist. 

Secondly, the GDPR aims to harmonize data protection laws across the EU member states. Prior to the GDPR, each member state had its own data protection laws, leading to a fragmented and inconsistent regulatory landscape. The GDPR establishes a single set of rules that apply uniformly across the EU, making it easier for businesses to operate across borders. 

Furthermore, compliance with GDPR is not just about avoiding legal penalties. It also strengthens the trust between businesses and their customers. By demonstrating a commitment to protecting personal data, organizations can build a positive reputation and enhance customer loyalty. 

GDPR Enforcement 

Non-compliance with GDPR can have serious consequences. If you process the data of even a single person from the EU, you’re subject to the GDPR—though you wouldn’t likely face a significant fine for any associated violations. As you process more EU citizens’ data and engage in more serious violations of the GDPR, fines can reach up to the higher of 20 million euros or 4% of your total global annual turnover.  

In addition to financial penalties, non-compliant organizations may also suffer reputational damage, loss of business opportunities, and potential legal action from affected individuals. 

Key Principles of the GDPR 

Now that we have a basic understanding of the GDPR, let's delve into its key principles. While these principles don’t necessarily translate directly into checklist items per se, they inform how your compliance activities should be carried out.  

Your RoPA, for instance, won’t be very effective if you don’t understand data minimization. As another example, your consent management won’t be very effective if you don’t understand the need to be accountable for demonstrating consumer consent later down the road. These principles inform the perspective you need to keep in mind when acting upon regulatory requirements. 

Lawfulness, Fairness, and Transparency  

One of the key principles of the GDPR is the requirement for organizations to process personal data lawfully, fairly, and transparently. This means that organizations must have a valid legal basis for processing personal data and must document this basis to demonstrate compliance.  

In addition to obtaining a legal basis, organizations must ensure that individuals are aware of the purpose of the data processing and any other relevant information. This includes providing clear and concise privacy notices that explain how personal data will be used, who it will be shared with, and how long it will be retained. Transparency is essential to building trust with individuals and allowing them to make informed decisions about the use of their personal data. 

Purpose Limitation  

According to this principle, organizations should only collect personal data for specified, explicit, and legitimate purposes. This means that organizations must clearly define the purpose for which personal data is being collected and ensure that the data is not processed for another purpose. 

By adhering to the principle of purpose limitation, organizations can avoid collecting unnecessary personal data and minimize the risks associated with data processing. This principle also helps to ensure that individuals' personal data is not used for purposes that they did not consent to or that they would not reasonably expect. 

Data Minimization 

The data minimization principle requires organizations to ensure that personal data is adequate, relevant, and limited to what is necessary for the intended purpose. This means that organizations should only collect and retain the minimum amount of personal data needed to achieve the specified purpose.  

By practicing data minimization, organizations can reduce the amount of personal data they hold, which in turn reduces the risk of data breaches and unauthorized access. It also helps to protect individuals' privacy rights by ensuring that their personal data is not unnecessarily collected or retained. 

Accuracy 

Organizations must ensure that the personal data they process is accurate, up-to-date, and relevant. They should take reasonable steps to rectify or erase inaccurate or incomplete data promptly. This principle ensures that individuals have access to correct and reliable information about themselves.  

Storage limitation 

According to the principle, personal data should not be stored indefinitely. Businesses should determine a specific retention period and delete the data once its purpose has been fulfilled unless there is a legal obligation to retain it. This principle helps to prevent the unnecessary storage of personal data and reduces the risk of unauthorized access. 

Integrity and Confidentiality 

In addition to minimizing the amount of personal data collected, organizations should also implement appropriate technical and organizational measures to ensure the security of the data. This includes measures such as encryption, access controls, regular data backups, and staff training on data protection. 

Accountability 

Lastly, businesses need to be accountable for their compliance. That means being able to demonstrate that you’ve taken steps to ensure GDPR compliance, keeping records of consumer consent preferences and subject rights requests, compliance decision-making, and so on. 

GDPR Compliance Checklist: How to Act on Compliance 

Now that the key principles of GDPR are clear, let's move on to the steps you need to take to achieve compliance. 

1. Map Your Data and Conduct a RoPA 

The first step is to conduct a thorough data audit to identify the types of personal data you collect, the purposes for which you process it, and the storage duration. This audit will help you understand the data flow within your organization and identify any potential compliance gaps. 

During the data audit, consider the various sources from which you collect personal data. This could include customer registration forms, online purchases, email subscriptions, or any other interactions with individuals. By mapping out the data flow, you can gain a holistic view of how personal data enters, moves within, and exits your organization. Doing this manually can be highly challenging, so it’s a best practice to use an automated data mapping tool instead. 

Furthermore, the data audit should also consider the different categories of personal data that you process. This could include sensitive personal data, such as health information or biometric data, which require additional safeguards and considerations under the GDPR. By identifying the different types of personal data you handle, you can tailor your compliance efforts accordingly. 

2. Identify Lawful Basis for Data Processing 

Under the GDPR, businesses must have a valid lawful basis for processing personal data. The GDPR lists out the following as acceptable lawful bases: 

  • The individual's freely given, clear, and unambiguous consent.  
  • The performance of a contract, such as for processing personal data to fulfill orders, provide services, or manage employment contracts. 
  • Compliance with a legal obligation, or when you are required by law to process personal data. This can include compliance with tax laws, employment laws, or other legal obligations imposed by regulatory authorities. 
  • Protection of vital interests, or when processing personal data is necessary to protect someone's life. 
  • Performance of a task carried out in the public interest, or when data processing is necessary to perform a task in the public interest or exercise official authority. 
  • Legitimate interests pursued by the data controller or a third party, so long as the processing does not override the data subject’s rights and interests. 

When identifying the lawful basis for data processing, it is crucial to consider the specific purposes for which you process personal data. Each purpose may require a different lawful basis, and it is important to ensure that your chosen basis aligns with the requirements of GDPR. For example, if you are processing personal data for marketing purposes, you may need to rely on the individual's consent as the lawful basis. 

It is also important to document your chosen lawful basis for each processing activity. This documentation will serve as evidence of your compliance efforts and will be essential in case of any regulatory inquiries or audits. 

3. Implement Data Protection Measures 

The GDPR mandates that organizations implement appropriate technical and organizational measures to ensure the security of personal data. This includes measures such as pseudonymization, encryption, access controls, regular data backups, and staff training on data protection protocols. 

Pseudonymization involves replacing identifying information with a pseudonym, making it more difficult to link the data back to an individual without additional information. Encryption, on the other hand, involves converting data into a coded form that can only be accessed with a decryption key, providing an additional layer of protection. 

Access controls should be implemented to ensure that only authorized individuals have access to personal data. This can be achieved through user authentication mechanisms, role-based access controls, and regular access reviews to prevent unauthorized access or accidental data breaches. 

Regular data backups are crucial to ensure that personal data can be restored in case of any data loss or system failures. These backups should be securely stored and regularly tested to ensure their effectiveness. 

Lastly, staff training on data protection protocols is essential to ensure that employees understand their responsibilities and are aware of the potential risks associated with personal data processing. Training sessions should cover topics such as data handling procedures, incident reporting, and the importance of maintaining confidentiality. 

4. Establish Notice and Consent Mechanisms 

One of the key requirements of GDPR is obtaining valid consent from individuals for processing their personal data. Businesses should review their consent mechanisms to ensure that they meet the GDPR standards, such as being freely given, specific, informed, and unambiguous. 

When obtaining consent, it is important to provide individuals with clear and understandable information about the purposes for which their data will be processed. This includes informing them about any third parties with whom their data may be shared and their rights regarding data access, rectification, and erasure. In fact, you must provide this notice in order to respect the rights EU citizens receive under the GDPR: specifically, the right to be informed.  

If you collect information directly from the data subject, then you’ll need to inform them about the collection and intended use of their data right at the moment of collection. You could receive personal data in other ways, such as through a vendor. If that’s the case, then you’ll need to inform the data subject about your processing activities in less than a month’s time. 

Consent mechanisms should also provide individuals with an easy way to withdraw their consent at any time. This can be achieved through simple and accessible opt-out options, such as unsubscribe links in email communications or account settings on online platforms. Generally, businesses rely on consent management platforms, or CMPs, to operationalize data processing consent. 

Regularly reviewing and updating consent mechanisms is essential to ensure ongoing compliance with GDPR. As your business evolves and introduces new processing activities, it is important to assess whether existing consents cover these activities or if additional consents need to be obtained. 

5. Develop a DSAR Process 

Some of the privacy rights provided by the GDPR require a response from businesses controlling or processing their data. Broadly, they’re referred to as data subject access requests (DSARs; the right of access is just one right, but the term is often used to refer to all subject rights requests).  

Establishing a process for the timely, efficient, and accurate fulfillment of these rights is essential. In fact, businesses have just one month from receipt of a DSAR to complete it—it’s possible to extend this deadline, but you should really be aiming to fulfill every DSAR within the initial timeframe since requesting an extension creates extra risk.  

The following are examples of the sorts of requests that data subjects may make under the GDPR. 

  • The right to access their data. 
  • The right to have inaccurate or incomplete personal data rectified and completed. 
  • The right to be forgotten and request the erasure of personal data related to them on specific grounds within 30 days.  
  • The right to restrict processing. 
  • The right to transfer personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. 
  • The right to object to how their information is used for marketing, sales, or non-service-related purposes.  
  • The right to not be subject to solely automated decisions. 

6. Evaluate International Data Transfer Needs and Frameworks 

Will your organization need to transfer data outside of the EU? If so, you’ll need to comply with Chapter 5 of the GDPR, which lays out the circumstances under which international data transfers are compliant. 

Generally, you’ll want to see if the European Commission has issued an adequacy decision for the country you want to transfer data to. In essence, that’s the Commission stating that the data protection laws or the international commitments made by that country indicate that EU citizens’ data will receive adequate protection once transferred.  

This can be a complex and fluid scenario, however. In the case of the U.S., for example, the Commission has deemed that transferred data wouldn’t be adequately protected due to the degree of access that U.S. intelligence agencies have to U.S.-based organizations’ data.  

To achieve adequacy in the eyes of the Commission, a variety of frameworks have been put into place to ensure EU citizens’ data receives the protection it deserves in the U.S. First, there were the Safe Harbor provisions—these were eventually deemed insufficient by the European Court of Justice. Then, there was the Privacy Shield—this too, was struck down by the Court. As of this writing, the third (and hopefully final) framework—the Data Privacy Framework, or DPF—is still in place. Although the DPF does improve upon its predecessors, time will tell whether this international agreement provides an adequate level of protection for EU citizens’ data. 

Even if the DPF is deemed invalid, or if you want to transfer data to another country that has not gained an adequacy decision, there are other avenues. These include: 

  • Binding Corporate Rules (BCRs), which enable international organizations to transfer data internally from one country’s office to another’s. 
  • Standard Contractual Clauses (SCCs), which are contractual agreements between the sending and receiving organizations that ensure the individual organizations adhere to a certain standard of data protection. These are not always ironclad depending on the data protection practices of the other country, however. 
  • Derogations in specific situations, which include a short list of alternative bases for compliant data transfers. These are things like the data subject’s consent, the performance of a contract, protecting an individual’s vital interests, and so on. 
  • And several other niche international data transfer mechanisms. 

For the most part, organizations will rely on either an adequacy decision or SCCs. The other methods for international data transfers are highly specific and unlikely to apply to the bulk of organizations. 

7. Secure Required Personnel 

Under the GDPR, your organization will need to keep certain experts on staff depending on the nature of your organization, its business, and its location. 

Notably, you may be required to hire a Data Protection Officer (DPO). If your core activities involve processing sensitive data on a large scale, or if it involves large-scale monitoring of individuals, then you’ll need a DPO. So, a small medical practice that processes its patients’ personal data likely doesn’t need a DPO, but a hospital processing large sets of sensitive data would. 

If your business is external to the EU but you process EU citizens’ data, odds are you’ll be required to establish a GDPR representative. This individual needs to be based in one of the EU member states, and they’ll serve as your organization’s liaison to EU data protection authorities. Fortunately, you don’t have to open up a new European branch of your business to retain a GDPR representative; there are organizations that can provide this service for you (including Osano). 

8. Review and Iterate 

It can be tempting to think of data privacy compliance as a one-and-done activity, but the reality is that compliance is an ongoing process. Your organization and the way your organization processes personal data will change over time. It’s essential that you:  

  • Keep your data map and RoPA updated. 
  • Ensure your legal basis for processing remains valid. 
  • Improve upon your data protection efforts to plug any gaps, keep up with evolving security practices, and adjust as your systems and processes change over time. 
  • Maintain your privacy policies and notices so that they accurately reflect the reality of your organization’s data processing activities. 
  • Iterate upon your DSAR workflow to reduce effort, risk, and cost. 
  • Review international data privacy developments to ensure you can adequately protect EU citizens’ data abroad. 
  • Maintain adequate staff and plan for associated costs. 

Attending to all of these requirements at once can be exhausting, especially if you rely on manual, time-consuming processes to carry out your compliance activities. Businesses that rely on Osano for their data mapping, consent management, DSAR workflow, and other difficult but highly automatable compliance requirements regain much-needed time to maintain their GDPR compliance status. 

Schedule a demo to find out how Osano can support your compliance with the GDPR and beyond.