The GDPR Compliance Checklist

Some of the pieces of content found online are fuzzy and don’t bring about the details you actually need to become compliant. A well-put together GDPR checklist is pure gold, because it offers you an umbrella against the fines announced.

Although complying with GDPR does seem like a lot of work, organizing and structuring that workload, can considerably ease things up.

A Checklist is the first step in your journey to comply with the new set of regulations. After all, you need to start somewhere.

Can I have your consent?

The cornerstone of the GDPR is consent. You needed consent before GDPR, but it was so much simpler to obtain it. Now, in the context of the new regulations, obtaining consent is no longer a sure thing. GDPR clearly states that unless legitimate interest is involved, getting clients to say yes needs to be done in an explicit manner, using plain language, clearing up the reasons for which consent is requested. The user needs to know exactly what his/her personal data is going to be used for and by whom.

Having legitimate interest is not equal to having consent, as the data gained cannot be used for other purposes than those implied.

Once consent is heroically obtained you need to record and safeguard it, being also prepared to hand it over when requested as such. So far, so good, but in terms of complying with GDPR what does it mean exactly?

Well, in plain talk, you’ll need to pump some money or time into developing a new consent request design, forgetting all about those pre-ticked boxes, providing users with extensive info on your actions, updating your terms and conditions and no more hiding them in fine print. Agreed?

Speak up

With this newly improved data protection law, the data subject, meaning any identifiable person, has gained quite a few interesting rights, hence DSR, which is really short for Data Subject Rights. They are all straightforward and comprehensible, but somehow, during the last decade, we never actually gave them any real thought.

If we did, we would most certainly enter panic mode and feel the express need to come up with alternative marketing strategies. However, these rights are the ones that will completely shift you from being a rebel business to a GDPR compliant one. So, let’s take them one at a time and see what to do next.

• Power to the people

You need to store and organize all the info you have about your clients. Simply giving them an email with numbers and letters doodled inside won’t do. You have to provide clients with structured, easy to comprehend information, in a common format.

In terms of complying, you can imagine that this implies various investments in new tools that would either provide the users with easy access or that would structure the information you have on them and streamline the process, optimizing it as best as possible.

• Forgotten and forgiven

Without going into philosophical discussions on the human condition, individuals do have this right and you are obligated to provide them with the framework. If you should receive an erasure request, you need to put it into practice. The tricky part here is the deadline, as it is mentioned that the data controller needs to act “without undue delay”. In plain language, this means fast, but in legal talk, things are a bit fuzzy. One can only assume that the idea is indeed to act fast.

Now, thinking of implementation, it is vital to understand that when the individual asks to be forgotten, you need to erase all the existing data you have on him and this includes copies, stored on cloud or collected by third parties.

So, you’ll be required to have systems that quickly identify data, the locations in which it is stored and ensure a fast erasure.

• Stand corrected

Starting with the 25th of May, all users can ask to have their information corrected.

You have to figure out a way in which they can do this. Once again, complying with GDPR means investing in tools.

• Making the big announcement

This implies that you are obligated to send all the data you have on an individual to a different organization, in a commonly used, structured format, should you be asked to do so by the data subject. As expected, this would of course require that you put together a robust system, through which portability can be easily done.

• Time to move

This implies that you are obligated to send all the data you have on an individual to a different organization, in a commonly used, structured format, should you be asked to do so by the data subject. As expected, this would of course require that you put together a robust system, through which portability can be easily done.

• Time to object

Even though you have obtained consent, the user could change his/her mind and decide against you, objecting to the fact that you are processing personal data. In this situation, you have no other alternative but to comply and stop personal data handling.

Data Breach Ready

So, you’ve noticed a breach in the system. It’s time to ask yourself: What would GDPR expect me to do?

If this day comes, as soon as you notice the breach you need to identify the threat. Start acting as if you were under attack.

First, you take the threat under consideration. If the data breach is believed to be a threat to users, the data controller needs to announce the GDPR Supervisory Authority within 72 hours of the breach identification. Afterwards, the users need to be informed as well.

Building up your defenses

You are granted permission. Your customer said I Do to the consent question. Don’t get your hopes up, even though these days asking for consent really seems more difficult than anything else. Now, you have to secure all that personal data. Make sure that the user’s personal data is well taken care of, safeguarding it through various means such as encryption or anonymization. You are going to use personal data, relax! You are just going to have to do it differently. The best way to use personal data without putting security at risk is through Pseudonymization. Data is still safely guarded, but you can analyze them, making this method the ultimate combination.

You mustn’t mud things up here, as anonymization and pseudonymization are two completely different concepts. GDPR brought them together, under the security umbrella for a very good reason.

While anonymization completely destroys any chance of identifying the user, pseudonymization, this Zodiac killer of the IT world, substitutes the identity of the data subject with additional information, creating a coded language. Data is still protected, but can be used for researching purposes.

Let’s wrap this up!

GDPR comes with a lot of changes. Asking for consent is a must, just like storing and safeguarding the data received. The user has the power and no matter how much you would try, there is no getting it back. It’s all about conforming to the new order.

Dig up new marketing strategies, start investing in tools to improve your already existing systems, organize the data you already have to further optimize and streamline your future processing. Times of great stress lay ahead, but with a strong plan, an organized mind, this checklist and a team of hardworking IT wizards, GDPR compliance is as good as done.