Is Your Organization GDPR Compliant? Use a Checklist

Is Your Organization GDPR Compliant? Use a Checklist

The General Data Protection Regulation places a significant burden on organizations around the world and penalties are harsh. But the rules are clear and embracing them represents a brand-building opportunity.


In May 2018, the European Union enacted sweeping new digital privacy legislation known as the General Data Protection Regulation (GDPR). GDPR may be a European law, but since it affects anyone collecting and using EU citizen data – from large corporations down to many small, independent businesses – it almost has the effect of global law.


Specifically, the GDPR applies to:


…organizations located within the EU [and] organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.


The penalties for noncompliance are breathtaking. As the official GDPR site explains, organizations committing the most egregious sins (for example, “not having sufficient customer consent to process data or violating the core of Privacy by Design concepts”) can be fined up to 4% of their annual global revenues. (One large company currently faces a $230M fine for weak security related to a major breach.) Lesser penalties apply for things like faulty record-keeping or failure to notify authorities in the event of a breach. The rules pertain to both “controllers” and “processors,” so having your operation in the cloud isn’t a defense.


What are the GDPR compliance requirements?


GDPR has significantly increased the compliance burden for many companies around the globe. The good news is that the specific details are very clearly spelled out, meaning there’s no real excuse for any business to run afoul of the law.


Most major organizations are already fully compliant with GDPR. However, some may just now be launching into European markets, and others may have failed to get ahead of the regulations soon enough and now find themselves in potential jeopardy.


For these businesses (as well as anyone wanting a refresher), there are some very helpful resources available.


The EU’s GDPR Checklist outlines the four compliance categories: Lawful Basis and Transparency; Data Security; Accountability and Governance; and Privacy Rights.


Lawful basis and transparency


  • Conduct an information audit to determine what information you process and who has access to it.
  • Have a legal justification for your data processing activities.
  • Provide clear information about your data processing and legal justification in your privacy policy.


Data security


  • Take data protection into account at all times, from the moment you begin developing a product to each time you process data.
  • Encrypt, pseudonymize, or anonymize personal data wherever possible.
  • Create an internal security policy for your team members, and build awareness about data protection.
  • Know when to conduct a data protection impact assessment, and have a process in place to carry it out.
  • Have a process in place to notify the authorities and your data subjects in the event of a data breach.


Accountability and governance


  • Designate someone responsible for ensuring GDPR compliance across your organization.
  • Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.
  • If your organization is outside the EU, appoint a representative within one of the EU member states.
  • Appoint a Data Protection Officer (if necessary)


Privacy rights


  • It's easy for your customers to request and receive all the information you have about them.
  • It's easy for your customers to correct or update inaccurate or incomplete information.
  • It's easy for your customers to request to have their personal data deleted.
  • It's easy for your customers to ask you to stop processing their data.
  • It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company.
  • It's easy for your customers to object to you processing their data.
  • If you make decisions about people based on automated processes, you have a procedure to protect their rights.


The site offers more on the principles underlying each requirement and is a must-bookmark for all executives and managers employed by organizations with customers and readers in Europe.


ZDNet’s Five-Step GDPR Preparation Checklist is a more hands-on, tactical guide to making sure your company is doing the right things. It strongly counsels appointing a lead or team to manage GDPR issues and compliance and stresses clarity of language in developing your policy and communicating it to site users. It also encourages companies to actively manage existing contacts and leads using a database; adopt a double opt-in policy; regularly update the privacy policy; and develop a thorough data breach plan.


GDPR: an opportunity to strengthen your brand


Let’s add one final item to the checklist: respect GDPR and embrace the opportunity it represents.


Some businesses (especially in the US) resent GDPR because it restrains their ability to operate as freely as they’d like. While this attitude may be understandable, it’s potentially counterproductive. The law resulted from a broad public perception that businesses can’t be trusted – and sadly, there have been instances where organizations failed to behave ethically.


These companies represent a small minority. Despite the headaches, GDPR represents an opportunity for ethical organizations to improve their relationships in the marketplace and, in doing so, help repair the damage bad actors have done in the public eye.


Why? Because citizens upset at cavalier data privacy uses are likely to appreciate companies that take their concerns seriously.


Privacy regulations like GDPR are a reality of the future business landscape (the California Consumer Privacy Act is becomes law on January 1, 2020, with penalty enforcement to take effect next summer, and there’s every reason to expect more legislation like it will follow in the coming years). Organizations that embrace the trend and make consumer privacy part of their strategic mission are not only avoiding sanctions; they’re building their brands – and are perceived as more trustworthy in the market.