The General Data Protection Regulation (GDPR), which will apply from May 2018, introduces substantial changes to the current EU data protection system. Organizations are required to adopt significant new technical and organizational measures to ensure compliance with the GDPR. This is a brief checklist highlighting the 10 steps that you need to take in order to ensure the compliance of your organization with the new Regulation.

1. Raise awareness within your organization: All key decision-makers in your organization should be aware of the changes introduced by the GDPR and of the impact these changes are expected to have on the operation of your organization. Organize training seminars for your staff.
2. Develop a clear Privacy Policy: After having audited all data processes and mapped data flows, you need to write a clear privacy policy, indicating what personal data will be collected, stating the purpose for which this data is being collected. Set up a clear framework of policies and procedures and demonstrate your compliance with the GDPR.
3. Data Protection Impact Assessments: Data Protection Impact Assessments (PIAs), which identify and minimize all non-compliance risks, are made mandatory under the GDPR for all high risk processing activities (processing of sensitive data, CCTV monitoring of public areas, profiling). Ensure that a DPIA has been carried out on any high risk processing activity prior to its performance.
4. Appoint a Data Protection Officer (DPO): A DPO is the person who assesses all aspects of data processing in your organization and is responsible for data protection compliance.

The appointment of a DPO is compulsory for:

  • public authorities (except for courts)
  • organizations whose core activities involve regular and systematic monitoring of individuals on a large scale
  • organizations that carry out processing of special categories of data (e.g. health records, criminal convictions, genetic data, biometric data) on a large scale
Check if your organization is required to appoint a DPO and, if yes, do so.
5. Review and update your information notice: The controller must provide extensive information to data subjects about the processing of their data (identity and contact details of the controller, purposes of processing and legal basis for processing, details of data transfers outside the EU, the retention period for the data, recipients or categories of recipients, what the subject rights are, that the individual can complain to a supervisory authority). Update your information notice so that it provides to data subjects all the necessary information about the processing of their data in clear and plain language.
6. Safeguard Enhanced Rights for Data Subjects: The new GDPR extends the scope of already existing rights and introduces new data related rights for individuals.

The most important of them are:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to data portability
  • the right to object to certain processing activities
  • the right not to be subject to automated processes
Make sure that your organization policies and procedures cover all the rights provided for data subjects in the GDPR and they allow you to respond timely to requests accompanying these rights.
7. Consent: Consent is subject to additional requirements under the GDPR. Consent should be not only freely given, specific, informed and unambiguous (as required by the Directive), but it should also be distinguishable and revocable. Data subjects are informed that they have the right to withdraw consent at any time, using the same medium which was used to obtain consent in the first place. Review how you obtain and record consent. Make sure that consent is associated with a positive opt-in and not with pre-ticked boxes or inactivity.
8. Data breaches: The new regulation requires all organizations to report a data breach to Data Protection Authorities within 72 hours of detection. Notification to data subjects is also required, unless the personal data has been rendered unintelligible (e.g. encrypted) or there is not a high risk of harm to the data subject’s rights and freedoms. In case of non-compliance an administrative fine up to €10,000,000 may be imposed. Put the right procedures in place to detect, report and investigate any personal data breach.  Assess whether your organization needs to adopt the appropriate insurance policies.
9. Children: If your organization offers internet services to children and consent is required to collect their data: Secure the consent of the children’s parents or guardians and implement appropriate systems verifying the ages of data subjects.
10. Identify your Lead Authority: If your organization operates within more than one EU member state, a single lead data protection authority will supervise your organization’s compliance with the GDPR. The lead authority is the data protection regulator of the state where your main establishment is. Identify where your main establishment is (this could be where your central administration is or where the most significant decisions concerning your data processing activities are taken) so that you can designate your lead authority.

 By Tania Kyriakou