The General Data Protection Regulation (GDPR) sets strict standards for how companies should handle personal data of EU citizens. With hefty fines for non-compliance, it’s crucial that organizations review their data practices regularly to ensure they remain compliant as the regulation evolves.
Here is a checklist to help determine if your company is GDPR compliant in 2024:
Lawful Basis for Processing Data
The GDPR requires having a lawful basis for processing personal data. The options are:
- Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: Processing is necessary to fulfill or initiate a contract with the individual.
- Legal Obligation: Processing is necessary to comply with the law.
- Vital Interests: Processing is necessary to protect someone’s life or safety.
- Public Task: Processing is necessary to perform a task in the public interest or exercise official authority.
- Legitimate Interests: Processing is necessary for your legitimate interests or those of a third party unless overridden by the interests of the individual.
Do you have a documented lawful basis for all personal data processing activities?
Consent Management
- Is consent freely given, specific, informed and unambiguous? Consent requests must be separate from other terms and conditions.
- Are records kept of how and when consent was obtained? Consent must be verifiable.
- Is consent reviewed and refreshed periodically? Consent has an expiration date and must be reobtained if purposes evolve.
- Is withdrawing consent as easy as giving it? Individuals can withdraw consent at any time.
Data Protection Policies
- Is there a data protection policy covering key issues? This should outline compliance efforts, data subject rights, retention schedules, etc.
- Are data protection policies visible and accessible? These must be available to individuals upon request.
Data Minimization
- Is the collection of personal data limited to only what is needed? Data collection should be adequate, relevant and limited to what is necessary.
Data Subject Rights
- Can data subjects access, correct, delete, restrict, and export their data? Individuals have the right to their personal data.
- Is there a process to handle data subject requests within 30 days? A structured system should be in place.
- Are data subjects informed of their rights? Transparency requirements apply.
Data Retention
- Are retention schedules defined? Personal data should not be kept longer than needed.
- Is data deleted after retention periods expire? Processes should auto-delete data or identify what’s ready for removal.
Data Protection by Design
- Is data protection built into systems and processes? Consider privacy implications throughout the data lifecycle, from collection to deletion.
- Are current practices reviewed before new projects launch? Assessments help identify gaps proactively.
Vendor Management
- Are vendors handling personal data GDPR compliant? Require vendors to provide specifics on their compliance.
- Are data processing agreements in place? Contractually bind vendors to protect data.
Cross-border Data Transfers
- Is personal data being transferred outside the EU? Extra protections like Standard Contractual Clauses may be required.
- Are there appropriate safeguards for international transfers? Assess transfer mechanisms and security controls.
Security Controls
- Are appropriate technical and organizational controls in place? Use encryption, access controls, policies, training, audits, etc.
- Is access to data limited to only those who require it? Follow principle of least privilege.
Breach Notification
- Are breaches reported to regulators within 72 hours if high risk? Fines can result from covering up incidents.
- Is there an incident response plan? Be ready to assess severity, notify authorities, mitigate damage.
Record Keeping
- Are internal records maintained of processing activities? This is critical for demonstrating accountability.
Appointing a DPO
- Has a data protection officer been appointed? A DPO is required for some organizations depending on core activities.
Staying GDPR compliant requires continuous effort as technologies, business practices, and regulations evolve. Use this checklist annually for self-auditing and consider independent assessments for unbiased insights. With proper planning and investment, organizations can both comply with the law and build trust with customers through responsible data practices.