A must-have 2018 GDPR compliance checklist for your enterprise
Companies that store or process data about European Union citizens are required to comply with new standards set forth by the General Data Protection Regulation (GDPR) starting May 25, 2018. By this date, global enterprises were required to demonstrate a “reasonable level” of personal data protection. As CIOs faced a need for new systems, processes and technology, many are in need of a GDPR compliance checklist.
Fortune 500 firms will spend an average of $1 million on GDPR technologies alone, according to an October 2017 study by international law firm Paul Hastings. “The GDPR is high-stakes … and the clock is ticking,” says firm partner Behnam Dayanim.
GDPR compliance checklist
Enterprises are required to comply if they process EU citizen data or meet criteria for size or data usage; the impact is widespread. Ninety-two percent of US-based companies consider GDPR compliance a top data protection priority, according to findings by PwC, but just 6 percent are compliance-ready.
The following GDPR compliance checklist guidelines aren’t exhaustive, industry-specific or tactical by design. They are, however, an overview of key compliance activities:
1. Collaborate with the C-suite
Executive buy-in should occur at the onset of GDPR compliance. Collaborate to allocate resources and create an official project plan.
2. Audit data
Prior to implementing new safeguards and processes, conduct an audit to understand how personal data is collected and stored. Document current governance systems.
3. Assign and educate
If applicable, appoint a data protection officer, EU representative or another official role. Train all data-handling staff and security team members on GDPR requirements.
4. Create access request processes
Update internal policies, technologies and operations to accommodate data subject requests, including the right to be forgotten, data portability and the subject’s right to receive data electronically in a common format. Create policies for access request refusal when requests are “manifestly unfounded or excessive.”
5. Identify lawful basis for data processing
Document the enterprises’ lawful basis for processing both sensitive and non-sensitive personal data and ensure notices are updated accordingly. Address issues of consent, data profiling and child data subjects.
If your organization meets the criteria of a data processor, update controller contracts to meet GDPR Article 28.
6. Create a recording of processing
Create, maintain and update all data processed in a sufficiently detailed Record of Processing, including record-keeping and retention policies. Address and update security measures to meet requirements for risk mitigation.
7. Update privacy notices
Review privacy notices and update language and processes for providing notices to meet requirements, such as the use of clear language.
8. Assess consent processes
If your Record of Processing relies on consent, ensure your consent processes include positive opt-in and easy withdrawal of consent.
9. Implement age-based policy
If needed, update consent language and processes for obtaining consent from children. If subjects are 16 or under, create processes for parental consent.
10. Address default and design protection
Document a policy of Data Policy by Design and Default. Create guidelines for data protection impact assessments.
11. Review breach policy
Establish and update policies and procedures for detecting, investigating and notifying subjects and authorities during a data breach.
12. Examine data export
Identify whether your data processing involves the export of data across borders. Identify your lead data protection supervisory authority. Review and update mechanisms with Article 29 working party guidelines.
13. Update third-party contracts
Identify all contractor relationships that require agreement revision and update for compliance. Verify third-party contractors can comply with GDPR privacy by design requirements.
The GDPR compliance checklist: Default data protection
It is predicted that more than 50 percent of affected firms will not fully comply with the GDPR by the end of 2018. Despite the looming deadline, fast-tracking a security culture of accountability can mitigate risk in the global enterprise.
GDPR is live. Now what?