GDPR Compliance checklist
What are the GDPR regulations?
The European Parliament adopted The General Data Protection Regulation GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
Starting on May 25th 2018, all business in the EU will need to comply to the new GDPR regulations, or face sanctions, ranging from a simple warning in writing of non-compliance to up to $20 million EUR or 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
To help you get prepared, here's a quick checklist to survive this new regulation:
GDPR Compliance checklist
1) Awareness and communication
Develop an Information Security Policy so that all employees understand GDPR and communicate with services and staff about why you are collecting data. Develop a culture of privacy within the company, to implement data protection by design and by default.
2) Audit & Analysis of personal data
Analyse and track a list of all sensitive data you store and process, and identify who is responsible for this data. Customer data needs to be retained on servers that are physically located in the EU, even if processed as part of a global product or service.
3) Review procedure
Review your current privacy/security procedures and rework the wording to make them compliant.
In particular, existing procedures need to include specific provisions to cover all the data points in the GDPR regulation, or be fully rewritten to fully comply.
4) Protect private data
Develop an IT strategy to implement data protection, back ups and a rescue plan to guarantee business continuity in case of a data breach.
5) Access rights and customer consent
Ensure your customers actually consent to you processing their data, and/or work with a legal firm to guarantee the data is gathered fairly and complies to GDPR guidelines.
6) Data breaches
Implement procedures to handle emergencies and data breaches, make sure you are able to communicate efficiently with the outside world within 72 hours.
7) Impact assessments
Carry out a data protection impact assessment, a threat modelling and risk aversion program to minimize risks of a data breach.
8) Appoint a Data Protection Officer (DPO)
Appointing a DPO is mandatory under the GDPR regulations, make sure you find the right person for the job.
CEO at Silent Breach
6 年We recommend that data should be stored in one of the 27 EU member states. If outside of these states the country in question needs to have been sanctioned under GDPR as a trustworthy & compliant country. Any countries not listed as such on the ICO website are out of bounds. If looking to store data in the USA then 'Privacy Shield' considerations need to be made. Also you need the user's consent to store data outside the EU, before the data transfer is actual done...
Head of Unit - Clearstream
6 年Should the data be physically stored in EU?
Division Head of Data & Information Governance for the EIB Group
6 年Simple and straight to the point on the general guidelines!