Do you work with business associates or accept payments from customers in the EU? If any part of your business is conducted with the EU, you need to understand the General Data Protection Regulation (GDPR). This data protection regulation is strict, complicated, and carries heavy penalties for noncompliance. Read on for our 6-step GDPR compliance checklist, so you can keep careful track of your compliance efforts.
What Does It Mean to Be GDPR Compliant?
Released by the EU Commission in 2018, the General Data Protection Regulation (GDPR) is one of the toughest, most stringent data protection laws in the world. Being GDPR compliant means making sure you run a tight ship when it comes to cybersecurity efforts and privacy protection, including implementing transparent privacy policies, obtaining consent when collecting data, tightening your contracts with business associates around GDPR compliance, and hiring and training controllers and processors in GDPR strategy.
What Does GDPR Protect?
GDPR protects EU citizens’ private data; any identifiable data about a user or consumer falls under the GDPR. The GDPR has been designed to make businesses’ practices around data processing and storage as transparent as possible to the individual, and to give the consumer control over how their data is stored and used.
Does My Company Need to Be GDPR Compliant?
If your organization works with clients or consumers in the European Union and if you collect, store, or process any sensitive information originating from any member states of the EU, you must be GDPR compliant, even if your company is not based in the EU.
What Happens If My Company Is Not in Compliance with the GDPR?
Companies who are noncompliant with GDPR can face hefty fines from the EU Commission. Global law firm DLA Piper reported that, as of January 2021, GDPR fines totaled €272.5 million. Tech giants and multinational corporations were hit hardest, but DLA Piper’s survey listed over 281,000 data breaches reported to national regulators across the EU. GDPR fines could put smaller enterprises at risk, as well — following a GDPR compliance checklist could save you thousands of dollars down the line.
What Are the Seven Principles of the GDPR?
The GDPR is organized by seven core principles: 1) lawfulness, fairness and transparency, 2) purpose limitation, 3) data minimization, 4) accuracy, 5) storage limitations, 6) integrity and confidentiality, and 7) accountability. Read on to learn more about each principle.
1. Lawfulness, Fairness, and Transparency
This principle ensures that a company’s privacy and data processing practices are transparent and allow users to access, alter, and view their own data, and that data will not be used in ways that are harmful to or exploitative of individuals.
2. Purpose Limitation
Businesses should collect data only for specific, viable purposes; each of these purposes should be within the scope of the business and in service of its operations and its consumers.
3. Data Minimization
Hand-in-hand with purpose limitation, data minimization means that only the minimal amount of data necessary for the functioning of the business should be collected, processed, and stored.
4. Accuracy
Any data you collect should be “accurate and, where necessary, kept up to date” — this also means deleting any old and inaccurate data, like outdated addresses or incorrect name spellings.
5. Storage Limitations
This principle stipulates that an organization may not keep and store identifiable personal information for longer than strictly necessary to conduct business, excluding for the purposes of archive collection, scientific knowledge, and public interest.
6. Integrity and Confidentiality
The GDPR mandates that organizations must store and process data in ways that protect the integrity of information contained therein and the confidentiality of the individual; this includes reducing the possibility data might be damaged or altered during data processing.
7. Accountability
Accountability refers to the measure that an organization will take in the case of a data breach. Under the GDPR, organizations must respond to a data breach within 72 hours or face extra penalties.
The 6-Step GDPR Compliance Checklist
A GDPR compliance checklist is the first step to keeping track of your GDPR compliance efforts; the checklist operationalizes each of the GDPR principles and gives you the building blocks for creating a strong GDPR compliance strategy. The following GDPR compliance checklist outlines the steps you need to take to make sure your organization is adhering to the GDPR’s seven core principles.
1. Conduct a Cybersecurity Risk Assessment
A cybersecurity risk assessment plan will set you up to identify weak spots that your organization already faces regarding the handling of personal information; develop a risk management plan that incorporates components of the GDPR.
2. Identify Alternate Standards as Precursors
The GDPR is still relatively new; while it is strict and comprehensive, you may already have achieved alternate security and compliance certifications or used other standards to help you benchmark your data security and privacy protection efforts. Following established standards like ISO 27001 can be helpful in achieving GDPR compliance.
3. Hire a Data Protection Officer (DPO)
Any GDPR-compliant organization that has more than 15 employees must hire or appoint a Data Protection Officer (DPO); this person will be your GDPR expert, monitoring stored data and managing data processing, and implementing the appropriate controls.
4. Give Consumers Control Over Data Collection and Storage
Following the transparency and storage limits principles, you should make sure you a) have consent from users before collecting their data, b) are transparent about your privacy rules and storage limits, and c) allow them to delete their data or unsubscribe from lists at any point.
5. Conduct a GDPR Audit
Once you have conducted a basic cybersecurity risk assessment based on your organization’s goals and benchmarked with alternate external standards, comb through GDPR regulations and see where your organization may be falling short. Stay on top of your GDPR compliance efforts by creating a GDPR audit schedule.
6. Prepare for a Breach
The GDPR requires a response to a data breach within 72 hours and contact any individuals’ whose data has been compromised “without undue delay” — have a plan ready for your response, including who will respond, how you will record the breach, and any documentation necessary for informing individuals and the EU Commission of the breach.
Bottom Line: Complying with the GDPR
The GDPR is widely accepted as the strongest data protection regulation in the world, and the learning curve can be steep for businesses who wish to expand their operations or work with countries in the EU. CrossComply, AuditBoard’s compliance management software, can help you manage your GDPR compliance checklist and ensure that you’re implementing the proper controls. Get started with our compliance management software today!
