GDPR Compliance Checklist (Complete For 2021) | Compliant

Digital content creators, web developers, and web managers all rely on data to improve user experience. This involves analyzing data about web traffic and web visitors.

However, personal data collection touches the issue of privacy rights. It is hard to earn customer loyalty if they do not trust you with their information.

The European Union (EU) sought to address the issue of privacy rights by implementing the General Data Protection Regulation law.

This legislation aims to protect the privacy rights of EU residents by making personal data collection by EU companies transparent. However, this also applies to U.S. companies that control or process personal data from individuals located in the EU.

What Is GDPR?

The General Data Protection Regulation (GDPR) is among the staunchest privacy and security laws in the world as it relates to the processing of personal data. The regulation was put into effect on May 25th, 2018. It replaced the 1995 Data Protection Directive law, which lacked cohesiveness between European countries.

The GDPR was passed by an overwhelming majority in the EU and helped codify and unify privacy laws under a single data protection regulation.

The GDPR consists of 99 Articles and 173 Recitals of the Regulations; the current version is Regulation 2016/679:

  • Articles 1 - 4: Cover general provisions, such as objectives, definitions, and territorial scope.
  • Articles 5 – 11: Outlines various principles, such as conditions for consent, the lawfulness of processing, and more.
  • Articles 12 – 23: This group covers data subject rights, rights to data portability, rights to object, and restrictions.
  • Articles 24 – 43: These articles cover the responsibilities of the data controllers and data processors, as well as security measures for processing.
  • Articles 44 – 59: This group outlines the transfer of personal data to international organizations and independent supervisory roles of authorities.

The remaining articles, 60 through 99, cover various topics, from cooperation among authorities, liability and penalties, and other provisions.

Who Is Affected by GDPR?

While the GDPR requirements seek to regulate how organizations within the EU safeguard personal data and uphold privacy rights for those within the EU territory, the GDPR guidelines are imposed on any organization targeting the territories within the EU.

Simply put, any organizations that process data of EU citizens are under obligations to comply with GDPR. Processing is broadly defined to include data that is collected, stored, transmitted, or analyzed.

Per the GDPR, personal data can consist of any information that relates to a person. This includes names, email addresses, IP addresses, political affiliation, and even eye color. Also, compliance is not limited to for-profit companies only.

Again, this regulation and compliance can also apply to international organizations. For example, a US-based web development company would have to comply with GDPR to track and analyze any personal data of EU citizens.

This is outlined in Article 3 of the regulation under the territorial scope:

“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

This can affect a whole host of international organizations. The only exemptions would be personal household activities, law enforcement, or issues of national security.

What Is the Best GDPR Compliance Checklist?

The GDPR website does provide a GDPR compliance checklist. This checklist is general and is meant to apply to all organizations. However, there are some requirements unique to U.S. organizations. Here is a helpful checklist.

Step 1: Review Your Data Collection

The first step is auditing and reviewing your data collection, specifically audits for personal data in the EU. If you do collect this type of data, then GDPR compliance is warranted.

Next, you will need to evaluate the special categories of data you’re collecting and processing and if you in fact have legitimate grounds for doing so (e.g., selling goods or services).  

This also applies to how data is stored. Many companies choose to perform a Data Protection Impact Assessment (DPIA) to assess data security and areas of need.

Step 2: Get Tenant Consent

Obtaining consent is the next big step. This addresses the issue of transparency. Individuals have a right to know how their personal data is used — the purposes for processing their data.

Conditions for consent are outlined in Article 7 of the GDPR. Consent must be obtained (legal obligation), and the individual has the right to decline or withdraw consent at any time.

Step 3: Choose The Right Technology

Choosing the right technology is equally as important for compliance; this can include the software solutions for data subject access requests or any third-party vendors. This can include the use of automated data protection technologies and technologies that address file transfers, data mapping, and more.

Step 4: Create The Consumer Consent Document

The easiest way to gain consent to collect personal data is with a consumer consent document. Per Article 4 of the GDPR, consent is defined as any “freely given, specific, informed and unambiguous…clear affirmative action.” Cookie banners can be used if they truly are “informed” consent, not merely implied. This requires the users to have the ability to accept or decline with full understanding and explanation.

Step 5: Keep A Record

Keeping records is essential under the GDPR for any systematic monitoring of data subjects. These records could be requested by supervisory authorities at any time.

Typically, organizations appoint a data protection officer (DPO) to oversee GDPR compliance, this includes record keeping. A DPO can be in-house personnel or an outsourced specialist.

Also, Article 27 of the GDPR states that all non-EU organizations are required to appoint an EU representative that is based in one of the EU member countries.

Article 30 of the GDPR lays out the record-keeping requirements in depth.

Step 6: Review Your Privacy Notices

Again, a data protection impact assessment can address areas that fall short; privacy notices may need to be readdressed. A privacy notice is a public document form that explains how an organization processes personal data. Per the GDPR, the privacy notice must:

  • Be concise, transparent, intelligible, and easily accessible.
  • Written in plain, clear language.
  • Delivered in a timely manner; free of charge.

Step 7: Change Your Privacy Policy

At this point, it is assumed that a privacy policy is in place that defines the rights of data subjects. If you do, it is always important to review to ensure GDPR compliance. The goal is to ensure this addresses your data retention policy — how data is collected, stored, and processed.  

Security controls, such as an information security policy and data protection policies, are also important to review. For example, this would address how a data subject would receive notification in the event of a breach (e.g., data breaches).  

All in all, it is important to have the best practices in place for compliance and to mitigate risks.

Step 8: Think About Controllers And Processors

Also, you must determine whether your organization falls under the category of controller or processor; this has implications for U.S. organizations and how they are to comply with GDPR.  

A data controller is an organization that determines how and for what purpose personal data is collected and processed. A data processor simply processes the information on behalf of the controller (e.g., third-party vendor).

When Is GDPR’s Enforcement Date in 2021?

The policies of the GDPR are already in full effect in 2021, in the EU and the U.S. Failure to comply with the regulation of data privacy can be costly. In fact, those organizations that are not GDPR compliant and who violate privacy and security standards can face harsh fines.

The GDPR Enforcement Tracker provides an overview of the fines and penalties imposed since the regulation’s inception in 2018. Compliance is enforced by the Information Commissioner’s Office (ICO).  

However, the GDPR allows each country to issue its own sanctions and fines to organizations it finds in violation. The maximum penalty is a staggering €20 million or 4 percent of global revenue.

Conclusion

The General Data Protection Regulation law was implemented in 2018 within the European Union. It seeks to address the issue of privacy rights for EU citizens.

However, compliance is not limited to EU organizations. The GDPR applies to all international organizations that collect or process data within the EU. Thankfully, a checklist is provided to ensure compliance across the board. However, U.S. organizations do need to pay closer attention.

Auditing data collection practices, reviewing privacy policies, and ensuring the right documents and people are in place could keep you out of hot water when it comes to GDPR violations and penalties.

Sources:

Archives | GDPR.eu

Regulation (EU) 2016/679 | Europa.eu

GDPR compliance checklist | GDPR.eu

Data protection impact assessments | ICO

Art. 7 GDPR - Conditions for consent | GDPR.eu

GDPR Enforcement Tracker - list of GDPR fines | Enforcement Tracker


Navigate
HomeAboutPricingContact
Compliance
Info
BlogPressCrunchbase Profile
Legal
AccessibilityTerms of UsePrivacy PolicyDisclaimerCookie Policy
Social
Compliant
Copyright © 2021 Compliant
Accessibility Statement
Privacy Policy
Disclaimer
Cookie Policy