The Ultimate GDPR Compliance Checklist
In case you are still working on getting in compliance with GDPR guidelines, this checklist is for you!
Join the DZone community and get the full member experience.Join For Free
The legal consequences of not complying with GDPR guidelines have been clearly defined as to leave very little to the imagination. Companies in violation of the GDPR may be fined between 2 percent to 4 percent of their annual global turnover up €20 million, depending on which is higher. Frequent GDPR violations can raise the level of legal penalties to the €40 million range.
The GDPR Compliance Checklist
The GDPR is a complex 11 chaptered document with 99 articles that cover a wide range of user privacy issues. This set of regulations can be hard to digest and interpret, which is where this checklist enters the picture. The ultimate GDPR compliance checklist highlights and lays out all of the main bases that you have to cover systematically to achieve GDPR compliance.
1. Data Privacy Impact Assessment (DPIA)
With the GDPR in full swing, a DPIA can be extremely helpful for online publishers, who are now officially defined as data controllers (fully responsible for GDPR breaches). In a nutshell, DPIA is a risk management process. It helps to map and analyze the privacy risks your operations create, eventually enabling you to come up with an optimization plan.
A. Identify the Privacy Risks and Evaluate Privacy Solutions
Your first challenge is to map the data collection points where you are collecting Personally Identifiable Information (PII) data from your customers and identify the privacy risks that exist while processing them. Data controllers (i.e - online publishers) should pay extra attention to PII data that is processed by third-party services.
B. Record the DPIA results and Integrate Into the Project Plan
After analyzing and understanding the privacy challenges in the ecosystem, the data controller should record all findings. Your next step should be to implement required mechanisms for enforcing personal data protection. Furthermore, the selected mechanisms need to be demonstrated adequately to prove GDPR compliance.
C. Collaborate With Internal and External Stakeholders
Online publishers need to know exactly what the third party vendors are doing with their customers’ PII data and how exactly it’s being processed. This collaboration is vital for GDPR compliance.
2. Policies and Procedures
Mandatory documents to enforce GDPR compliance include the following:
- Personal Data Protection Policy(Article 24) – This is a top-level document for managing privacy in your company, which defines what you want to achieve and how.
- Privacy Notice (Articles 12, 13, and 14) – This document explains in simple words how you will process personal data of your customers, website visitors, and others. Its recommended that you publish this on your website for optimal transparency.
- Data Retention Schedule (Article 30) – This lists all points of PII data collections and describes how long each type of data will be kept/stored.
- Data Retention Policy(Articles 5, 13, 17, and 30) – It describes the process of deciding how long a particular type of personal data will be kept and how it will be securely destroyed after the processing is completed.
- Data Subject Consent Form (Articles 6, 7, and9) – This is the most common way to obtain consent from data subjects to process their personal data.
- Parental Consent Form(Article 8)– If the data subject is a minor below the age of 16 years, then a parent needs to provide the consent for processing his personal data. GDPR treats the breach of this protocol very seriously.
- DPIA Register(Article 35) – This is where all the results from your Data Protection Impact Assessment (DPIA) will be saved after being recorded and analyzed.
The procedure revolving around GDPR breaches needs to be clear to avoid any reporting delays. When a PII data leak is detected, the data controller needs to record the event in the Data Breach Register (Article 33). There is also a requirement to notify the relevant supervisory authority about the incident, while also updating the affected customers (Article 33 and 34).
3. Notices and Consent
Data controllers need to make sure that have user consent to collect personal data. The online publisher needs to be able to demonstrate that the data subject has consented to the process of his or her personal data, ideally via an intelligible and easily accessible form, using clear language. Furthermore, users now have the right to withdraw their consent at any time.
4. Employee Training
You will need to identify if your staff responds well to and incorporates these elements so that they create a successful GDPR staff training program. Common techniques include adding a game or an element of reward. A GDPR awareness program should be an ongoing process that is reinforced regularly throughout the year and also when staff-related incidents occur.
5. Data Retention Policy
GDPR will introduce laws that will make the storage limitation principle considerably stricter. Soon, it will be illegal for data processing to be excessive in relation to the purpose of acquiring such information. Specific time limits will be set for both the processing and reviewing of data, while the handling of personal data remains explicit and transparent.
It's also important to make sure that all third-party vendors are encrypting the data before and after it is processed and/or transmitted to fourth- and fifth-party providers.
6. Personal Data Collecting and Processing
First and foremost, the data controller should assign a Data Protection Officer (DPO) when there are significant amounts of DII data being collected and processed. Online publishers definitely belong to this category. The DPO has the responsibility of advising the company about GDPR compliance and monitoring the activities from the legal standpoint.
Third-party vendors are becoming increasingly necessary for modern online publishers to remain profitable. These services can appear to be perfectly functional, they are basically autonomous components that are working independently, often while compromising user privacy. Many also make use of fourth and fifth party services to gain added functionality.
Compliance is further complicated due to the way third-party solutions work. Your PII data can potentially reach new data processors in the form of fourth and fifth party services. A proper GDPR audit should go beyond first party software on the website and include third-party services in Ad Tech and MarTech stacks for a thorough inspection.
Remember, GDPR Doesn’t End With Just One Audit
A good GDPR audit doesn’t mean your Ad-Tech stacks will stay compliant in the long run. Third party vendors often make code changes that alter the way your PII data is processed or, in extreme cases, stored. This is a violation of the GDPR guidelines. New fourth- and fifth-party vendors, who can potentially be completely non-compliant, can also enter the fray.
The meaning of this ongoing risk is that online publications have to be on the top of things and monitor their ecosystem, especially Ad-Tech and MarTech stacks.
Opinions expressed by DZone contributors are their own.