1. Customer Options
2. Company Policies
3. Following the Law
4. Keeping Records
5. Data Subject Rights
6. Interested in learning more about GDPR compliance?

A sound GDPR checklist should include what you need to do to remain compliant under EU privacy laws. The GDPR Compliance Checklist determines key aspects that the General Data Protection Regulation will include in EU privacy laws on May 25, 2018. The checklist includes:

  • Provision nature
  • Highlighting most important actions needed
  • Offers reference to relevant articles in GDPR

Further, the GDPR applies to organizations or companies processing personal data within EU borders. The organization could offer goods or services to EU citizens, including companies that monitor behaviors of EU citizens. GDPR ushered in wide-reaching changes that affect many organizations specializing in data collection, marketing, and security.

Customer Options

If your organization collects data, stress to individuals why you need to collect such data, and always use concise language that speaks to your audience. In addition, give users control over the data they submit and decide whether to share personal data with your organization or not.

The underlying principle of GDPR is to make sure that an organization’s primary goal is data governance. Also, the GDPR instills certain requirements to ensure that compliance is a top priority for organizations.

One thing you must consider is appointing a representative if you do not operate within the EU. In addition, you should train all employees and/or personnel to make sure they remain compliant under all EU laws. You should also consider insurance coverage as well, including whether it needs to be amended in the event of higher fines or penalties under GDPR.

Company Policies

Moreover, organizations must have documentation on how they intend to follow GDPR rules. Compliance should be combined with an audit framework to make sure the data process, policies, and controls are in proper order.

You should also implement an overarching data protection policy that combines all policies, including processes pertaining to privacy by design and the maintenance and creation of proper record-keeping of processing functions.

Following the Law

To lawfully possess personal data, you must at least meet one of the conditions prescribed under the GDPR. The grounds for processing data are usually the same as ones under the Data Privacy Directive, but the GDPR mandates new requirements when it comes to obtaining consent. Therefore, you should review all existing conditions regarding the lawful possession and confirmation of consent to ensure they are satisfactory under GDPR mandates.

Consider whether you are processing any personal data that’s sensitive in nature to ensure that the processing parameters for the data you process are fully in place and compliant under the law. Additionally, review previous consents to make sure they all meet GDPR guidelines and think about proper withdrawal consent protocols.

GDPR especially stresses transparency. All notices should be the following:

  • Informative
  • Concise
  • Clear

Further, all employees must be informed of any data processing activities and data transfers, and information determined in Articles 13 and 14 should be given to employees. For instance, GDPR mandates that parental consent must be included in the processing of data of children ranging from 13 to 16 years old. With that, such requirements depend on the nation that falls under EU law.

Keeping Records

GDPR mandates that organizations maintain detailed accounts of processing activities, such as:

  • Processing purpose
  • Descriptions for data categories
  • Security parameters
  • Data flow map

The addition of stakeholders will need to be involved in maintenance and creation of data records.

Data Subject Rights

It’s worth noting that the GDPR gives data subjects more rights under its current incarnation.

Such rights include the right to request access any submitted data, or to require any amendments or deletions of submitted data. Such a mandate is also known as “the right to be forgotten,” which is a right not just pertaining to data but to have all data given back to the subject in a machine that’s in a readable format (data portability).

Various versions of the previous rights include:

  • Right to object to any data processing on the grounds of marketing of legitimate interests
  • The right to not be subjected to a decision determined by automated processing
  • Right to object to profiling of any kind

Such notices should be clearly indicated and submitted to the data subject via notice (ex. privacy policy).

Do you need to know more about a GDPR checklist? To find out more, post your legal need to our UpCounsel marketplace. UpCounel’s lawyers will help you ensure that you stay within the guidelines of GDPR guidelines, and what you can do to protect user data. Further, our lawyers will help you establish a sound management structure that allows you to establish excellent records, and to ensure that you are getting proper consent from all data subjects.

Interested in learning more about GDPR compliance?

Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.