May 01, 2018

New Privacy Legislation: A GDPR Compliance Checklist

While 54% of U.S. companies say the General Data Protection Regulation (GDPR) has to be a top priority in 2018, a recent report by MediaPro has shown that 59% of employees are still quite unaware of the regulation.

Not being ready for the GDPR is a big problem considering the sweeping new data privacy law goes into effect on May 25.

The GDPR harmonizes data privacy laws in member states of the European Union (EU) including the UK and significantly strengthens the protection of personal data.

What’s really important is that all organizations, anywhere in the world, that process personal data of EU residents must comply. There are heavy fines for those who don’t - approximately $24 million (€20 million) or 4% of a company’s global annual revenue, whichever is greater. 

GDPR Compliance Checklist for Companies in North America

Company Leadership

There should be an implementation team in place. Some companies will need a Data Protection Officer (DPO), and experts recommend legal counsel as well.

GDPR Training

There should be extensive GDPR training for everyone in all departments, from the receptionist to the chief executive officer. A recent Commvault report showed that just 21% of IT professionals think they have a good understanding of what GDPR means in practice.

Data Collection

Utilize a comprehensive data management process so EU data that is handled can be identified. The data must be closely documented, and experts suggest storing it apart from other customer data. Procedures must cover all the rights that individuals have under GDPR. As a general rule, collect and keep as little personal data as possible.

‘Privacy by Design’ 

Incorporate privacy controls and impact assessments at the start and throughout the lifecycle of any new project that will require the collection of new and changing data. This can be done with manual and IT processes that protect personal data from loss, theft or mistaken exposure. Establish privacy requirements for third parties.

GDPR Consent Requirements

There should be a comprehensive consent process for personal information that documents permission including the data and source of the consent. There must be clear ‘opt-in permissions’ because failure to opt out will not be sufficient consent. It must be as easy to withdraw consent.

Information Requests

There should be a streamlined process for responding to information requests. The regulation allows individuals to request copies of personal data held by companies.

GDPR Data Breach Notification

There should be a detailed breach notification plan in place. Under GDPR, breaches need to be reported “without undue delay” and in some cases, in as little as 72 hours.

Data Deletion

Cull records regularly. Also, data subjects have the right to request the deletion of their personal data (this is the “right to be forgotten”). The Commvault report showed that just 18% of organizations have the capability to delete data on request from all data stores. Partner with a document destruction company for secure information disposal of both paper and digital data. Implement a Shred-it All Policy so all documents are securely destroyed when no longer needed.

Start Protecting Your Business

Learn more about GDPR and how to ensure you stay compliant with this new legislation.