GDPR: a short checklist
In the sea of information that it’s possible to find in Internet about the next and upcoming new regulations on the protection of personal data what I think is missing is a checklist that allows companies to understand easily what are the main requirements to implement or whether they have been already satisfied.
So I tried to write one:
1. Is there a written data protection policy? Is it available to your customers, partners and employees?
The GDPR envisages the creation of a data protection report to document their treatment. This documentation must be written in a simple and clear form, describe the scope of the data collection, the data owner's rights, whether such data will be transferred abroad and with which instruments, the retention period, etc. ... [art. 13 and 14].
The policy will allow to the supervisor authority and customers to improve the understanding of the personal data processing, thus strengthening their confidence.
2. Have you structured the data protection according to the “Data Protection by Design” concept?
This is a great novelty for the data protection. The data controllers have in charge the responsibility to decide autonomously on the modalities, guarantees and limits of the processing of personal data - in compliance with the regulatory provisions and with the related criteria [art. 24].
It is therefore necessary to design the treatment providing from the beginning the indispensable guarantees to meet the GDPR requirements and to protect the rights of those concerned [art. 25].
3. Have you edited an analysis of the risks about the data processing?
Among the key obligations of the data controller there is to identify and mitigate the risks associated with the treatment [Whereas 75, 76, 77 – page 15].
These have to be understood as the risk of negative impacts on the rights and freedoms of the persons concerned. Such impacts will have to be analyzed through a specific evaluation process [art. 35 and 36] taking into account the known risks and the technical and organizational measures that the data controller considers to be necessary to mitigate those risks.
The data controller may decide independently on the basis of the outcome of the assessment whether to start the treatment (by taking appropriate measures to mitigate the risk sufficiently) or consult the competent control authority to find out how to handle the residual risk.
The Authority will not have the task of "authorizing" the treatment, but indicating any further measures that can be implemented by the data controller. If necessary, the Authority can take all remedial measures according to article 58: from warning to limitation or prohibition of data processing [art. 36, par. 2].
4. Have you appointed a Data Protection Officer?
The appointment of a Data Protection Officer (DPO) is mandatory when processing and main activities
? are carried out by a public body
? consist of elaborations that require regular and systematic monitoring of data
? consist of large-scale processing of sensitive data or of criminal relevance
Because the Authority encourages the designation of the DPO, it may be helpful to appoint him on a voluntary basis, in each case the company will have to provide him all the resources necessary to carry out his role [art. 37 and 38].
5. Do you have a treatments register?
The GDPR has introduced the requirement to keep up to date a register of treatments, which is also extended to external providers dealing with personal data. Such register must be available for supervisory authority checks [art. 30].
Companies with fewer than 250 employees are exempt from this rule unless:
? Processing may pose a high risk to individual’s rights and freedoms
? Processing is not occasional
? Processing involves sensitive data
6. Have you offered training and awareness-raising campaigns to all your employees?
One of the tasks of the Data Protection Officer is to increase awareness and provide training to all employees of the company and, in particular, to the staff involved in the processing of personal data [art. 39].
7. Is the process of explicit and specific consent used during the collection of personal data of your customers and employees?
No consent of the person is valid in the case of silent consent or select by default or inactivity box [art. 9 and 22]. In addition, the data controller must be able to prove that the data subject has consented to the processing of own personal data [art. 7].
8. Are you able to give people the access to all their personal information?
Measures should be taken to provide individuals, on demand and free of charge, the access to their personal data so that they can freely modify them, delete them or exercise their opposition to the treatment [art. 15].
9. Are you able to update or delete your customers' personal data?
The right of rectification provides that a person can obtain, as soon as possible, the deletion or rectification of his incorrect personal data [art. 15]. As an alternative to the cancellation, it is foreseen that the person concerned may also request the restriction of the processing of his data [art. 18].
10. Is there a procedure for retention of personal data?
The retention of data processed in violation of the rights of the data subjects constitutes a criminal offense that is punishable by administrative sanctions. The retention period should not exceed the time necessary to carry out the purposes for which the data were collected [art. 15].
11. Are you able to satisfy your customers' portability rights?
A person has the right to receive their personal data in a structured electronic format, commonly used and legible by a PC. [art. 20].
12. Is there a system for managing secure access to archives containing personal data?
Personal data must be processed in such a way as to ensure security and confidentiality, including through authentication and authorization systems [art. 32].
13. In the case of a security incident involving personal data, has an incident handling and notification process been created?
In the event of an emergency or an accident involving personal data, the Data Protection Officer must ensure a process of incident management and its related notification to the Authority.
First of all the incident must be documented, highlighting the circumstances, consequences and measures taken. In order to avoid notification to the persons concerned, it must be possible to demonstrate to the Authority that he has put in place all reasonable safety measures to prevent the security incident [art. 33 and 34].
14. What are the measures implemented about your suppliers? Does the supply contract guarantee that persons authorized to process of personal data are committed to confidentiality?
In order to comply with the regulations, a subcontractor or supplier acting on behalf of a company must comply with the necessary guarantees in terms of specialized knowledge, reliability and security of the treatment.
Processing by a supplier must be regulated by a legally binding act for both parties, defining the purpose and duration of the processing, the type of personal data and the categories of persons involved [art. 28].
15. Is there a procedure for the transfer of data outside the European Union?
In the case of transfers of personal data to a third country, a register of transfer activities, including the identification of the third country and documents proving the existence of adequate transfer warranties, must be kept [art. 47, par. 2].
The Regulation prohibits transfers of data to data controllers in a third country on the basis of judicial decisions or administrative orders issued by third country authorities, unless there are international agreements, in particular mutual legal assistance or similar agreements between the involved states [art. 48].
Finally, I must remember that it is not enough to do things but it is equally important to document them in order to produce, when necessary, the evidence the work done is compliant with the regulations.
If this suggestion did not convince you then I would close this article (I hope useful) by citing the penalties foreseen by the GDPR: the article 83, depending on the violated articles, sets administrative penalties up to 20 million of euros or, for companies, up to 4% of the previous year's turnover.
In addition, individual States may, in accordance with article 84 and by May 2018, define further penalties for violations not initially provided by the GDPR. Such sanctions must be effective, proportionate and dissuasive.
However the supervisory authorities also have a number of remedies provided by the aforementioned article 58. These powers allow the extreme possibility of prohibiting the treatment.
The economic consequences of this type of provision could be even more serious than an administrative penalty.
The inability to continue a treatment may, for example, entail the suspension of a service to customers, with the consequent possible lawsuits against the company.
Therefore, if administrative penalties can have significant economic and reputable consequences, the actions foreseen by the article 58 may even compromise the business survival.