A 10-Step GDPR Compliance Checklist to Prepare/Audit Your Business

It has been over two years since the European Union’s new privacy law – the General Data Protection Regulation (GDPR) – became a game-changer for businesses all over the world. And yet, AIIM states that 50% of companies know almost nothing about GDPR, not even speaking about being GDPR compliant.

Obviously, ignorance of the law doesn’t excuse anyone. Not being compliant with GDPR puts small, medium, and large businesses worldwide in a position where they can lose up to 4% of annual turnover or €20 million ($23 million), whichever is greater.

In this post, we’ve put together all critical points about GDPR that you must know to protect your business from tremendous financial and reputational losses as a business owner or a C-level manager. We’ve also included some tools that will help you on your way to GDPR compliance.

In this post, we cover:

What is GDPR?
How does GDPR affect your business?
GDPR compliance checklist with guidelines
GDPR compliance services to ease the implementation process

Before we jump in, remember that you can’t and don’t have to become GDPR compliant in one go. What you can and need to do is start implementing this checklist without delay, following a piecemeal approach.

GDPR Overview and Definition

GDPR is the law created to give people more control over the personal data they share on the internet. Before the GDPR was created, there had been multiple cases of personal data violations and misusages, like selling contacts to third parties without users knowing about that. These violations had created a strong need in the law to bring control over the personal data back to people. GDPR protects customers’ data and the data of employees, suppliers, and any parties involved in data sharing.

What is classified as personal data? As the GDPR directive states, any information that is somehow related to a person classifies as personal data. Here are a few examples: a photo, name, email address, phone number, social security number, posts in social media, I.P. address, location, occupation. No matter if this data is private, public, or work-related – if it is personal, it is personal.

The main goal of GDPR is to guarantee any E.U. resident’s right to the privacy and security of their data and their ability to have control over it.

Also, it doesn’t matter if you store data of E.U. citizens outside of the E.U. – even then, GDPR rules are still applicable to this data.

Who Will Be Affected By GDPR

GDPR rules apply to anyone who collects, records, organizes, stores, and processes personal data, i.e., to most businesses across the world. This makes GDPR the most extensive data privacy regulation to date back.

It doesn’t matter if you are a small mortar store, a large tech company, work in e-commerce or own an email marketing company. It also doesn’t matter whether your business is located in the E.U., U.S., New Zealand, or Australia. If you have customers, employees, or suppliers from the E.U. and you interact with their data in any way – you fall under the GDPR.

The European Union takes this law very seriously. You can remember the massive story with Facebook’s misuse of customer information in 2018; other big players like British Airways and Marriott International have also suffered from €200 million and €99 million GDPR fines, respectively.

But don’t let this mislead you into thinking that GDPR is after the big players only; it’s not. While large companies are first in line for the investigation, it will eventually reach the smaller players. So unless you intend to collect data from all E.U. and U.K. citizens, you must follow all GDPR guidelines.

10-Step GDPR Compliance Checklist

Preparing and implementing a sound compliance plan may take months or even years, depending on your resources and the amount of personal data you are dealing with. We have broken this process down to a 10-step checklist that your company needs to follow to become GDPR compliant.

1. Hire or seek the assistance of a Data Protection Officer (DPO)

If your company is a public authority, is engaged in monitoring of people, or collects and processes high volumes of sensitive/personal data, you are obligated to appoint a DPO. The nuances like whether you need to hire a full-time DPO or outsource help from an outside consultant depend on your organization’s size and preferences.

You can also appoint someone from your team who has related knowledge and experience to be responsible for your company’s data protection. The DPO will help you systemize the process, enforce data protection measures, and make the process according to the law to get the GDPR certification.

2. Determine what type of data you have/plan to collect

This is important for three reasons. First, even if users handed their data to you long before the law entered into force, you must ask for their consent post-factum. You can do it via email or in any other manner, but be sure to get the clear YES.

Second, if someone asks you what information you have on them, you are obligated to give a comprehensive answer within 30 days after they asked you that.

And third, if you were ever to be investigated by the GDPR, you must show that you keep your hand on the pulse and control what data gets to you. Be sure to keep a categorized list of all data you collect and keep it in a safe place.

3. Determine what data you need to keep and which to let go

According to GDPR, you can’t hold on to data if you can’t explain why you need it. Don’t keep data just in case and determine what data you need and for what purposes.

Here are the questions to help you with that:

For what purpose are we archiving or saving this data?
Is keeping this information more beneficial than erasing it?

Also, map where all your data resides and keep it in an organized fashion.

4. Create a clear privacy notice

Every time a user gives you their email, phone, or name, it is your responsibility to notify them why you need that information and how you will use it. If you share this information with third parties, specify that. Make sure that you use clear and understandable language with no jargon or technicalities.

You can do it by creating a privacy notice – an online document that tells customers, regulators, and other stakeholders what your organization does with personal information. You can allocate a page on your site for the privacy policy and link it in the footer, in the cookie policy window, and everywhere where you specifically ask for these data.

Your privacy notice must include the following details:

1) Your contact information (the name, email, address, phone number of the company)

2) The types of data you collect (name, phone, account numbers, I.P. address, credit card numbers, etc.)

3) How you collect the data

4) Lawful basis for the personal data processing

5) What exactly will you do with data (sharing with third parties, storing, etc.)

6) How long you will be keeping the data on your platforms

7) What data subject rights customers have under the GDPR

8) A link to your privacy policy

The example of the opt-in checkboxes in the GDPR compliant cookie notification

To create a GDPR privacy policy, you can use one of the free privacy policy generators.

5. Establish the procedures for handling personal data

You need to plan the following procedures:

How will you provide the information you have on a person?
How will you delete the data if you were asked to? How will you check if all data was deleted?
How should people give their consent to you about using their data?

If you are going to use personal data for purposes that are not vital for users’ interaction with your site or product, like marketing (sending emails or SMS, calling) or collecting statistics for your analytics, they need to opt-in for that. Before GDPR, there was automatic consent from the customer’s side for companies using their data.

This concept is called “opt-out’, which means that the user needs to seek ways to stop the data collection. Now, the “opt-in” approach has taken its place, which obligates companies to receive approval from customers uses their information.

There are many examples of opt-in forms with checkboxes where users need to tick a box or perform an action to provide their consent on using their information.

6. Inform your employees

You need to inform your employees about the GDPR law basics and that your company is on the way to becoming compliant. There are two major reasons for that. First, your employees are the key part of your organization involved in all aspects of data processing, which makes them data objects. Second, they provide you with their personal data, which makes the data subjects aware of their rights.

Ensuring that all of your team members are aware of the GDPR law and the ways your company is meeting its requirements will decrease the chances that your business will be liable because of your employee’s mistakes.

7. Create an action plan in case of security breaches

Companies face data breaches every single day. Assuming that it will never happen to your organization would be careless, to say the least. Even if you have all the security measures in place (which is rarely the case), you still have to be prepared for the worst.

Having an action plan in case of a data breach will help your company overcome it with minimal losses and prevent getting fined by the GDPR investigators.

This plan is your way to systemize all the steps to take after a data breach is detected. It includes:

1. Reporting. GDPR states that you must report the data breach within 72 hours to authorities and data subjects. Make sure you have chosen the spokesperson, created statement templates to communicate the data breach to the data subjects, stakeholders, and partners.

2. A consequence of actions. Create a different flowchart for different incidents with a step-by-step process that covers both legal and regulatory aspects.

3. Role assignment. Who will take charge if you detect a data breach? How will you “patch the hole,” and what resources do you need for that? Ask your security team for assistance.

8. Make sure that data is secure

When you take someone’s data, you become liable for its safety. It is your responsibility to create a secure environment that protects data from all possible threats.

The goal is not to prevent 100% of attacks and breaches (which is impossible) but rather to ensure that you did everything to minimize the chances of their occurrence. If a data breach occurs, your security measures will fall under a thorough investigation by the GDPR. If they find your security measures insufficient, you may face million-dollar fines for compromising users’ data.

Here are the measures you should have in place or need to implement to ensure that no one will leak, hack, or misplace users’ data:

Use up-to-date software with security patches;
Have antivirus software in place;
Backup your data;
Implement mandatory cybersecurity training for your employees;
Monitor risky third-party applications connected to your user accounts and control what access permissions your employees grant to them;
If you keep your data in the cloud, use ransomware monitoring for the cloud;
Monitor data usage and domain activities (including user logins and login attempts);
Audit your data to detect potentially dangerous activities, like sharing credit card information via email.

Learn about the financial impact of non-compliance on your business:

Try SpinOne for free