In May 2018, the new GDPR law came into force. Companies worldwide have to be ready. Proper data management is crucial to comply with this new law. To help you out, Bisnode experts have compiled a GDPR checklist of the key requirements.
Even though the list includes tasks that your marketing team can tackle on its own, consider hiring a legal team. This is particularly important for large organizations.
How to Comply and Avoid Penalty:
1. Define Your Territorial Scope
The GDPR applies to organizations based in the EU as well as to non-EU members that process data of EU citizens
- If your business falls into one of the categories listed above, you need to become GDPR compliant.
- Global organizations need to determine which data protection supervisory authority they come under.
2. Raise Awareness
Raise awareness of the new data protection rules inside and outside your organization.
- Inform your organization’s decision-makers and employees about the upcoming changes. Update or revise your contracts with business partners, vendors, and suppliers.
- If you work with suppliers located outside the EU, make sure they comply with the GDPR.
- Make sure all contracts you have with third parties include protection against GDPR-related risks.
- Monitor their progress in compliance. Conduct audits for key suppliers.
- Launch workshops on GDPR for sales and marketing.
3. "Map" Your Data
Identify the data your organization holds. Make sure you know where it's coming from, how you are planning to use it, and with whom it is shared.
- Conduct a data audit to assess your data and the purposes you use it for.
- Identify your risk areas and take the steps needed to comply.
- Make sure you have legal ground to use the data.
- If you receive data from third parties, check its accuracy and lawfulness.
- Delete any data is unnecessary or outdated.
- Have a clear policy on how long information will be retained.
4. Create and Maintain Data Records
The GDPR requires companies to keep records of the data they are processing. Organizations need to be able to demonstrate their accountability and compliance.
Create and maintain a data record that includes the following:
- The name and contact information of the organization and the DPO (where applicable)
- A description of the categories of personal data
- The purpose of data processing
- The categories of data subjects and recipients
- Transfers of personal data to third parties
- A general description of the organization's security measures
5. Update Your Data Protection Policies
As part of the GDPR, you must not only comply with the new data protection laws but prove it too. In addition to maintaining data records, it's necessary to update (or revise) your policies and procedures.
Work with a lawyer to determine if your data protection policies comply with the GDPR.
Make sure your policies cover the following aspects:
- Who is responsible for data processing, security, and other key points of the GDPR
- How you identify and what you do if there's a breach
- How to respond to subject access requests
- How to proceed if consent is withdrawn
- What to include in privacy notices - use a concise, easy-to-understand, and clear language
- How to meet requests from customers regarding data portability, the right to erasure, the right to be informed, the right to object, rectification, etc.
- Describe any legal ground, including consent, vital interests, and public interests for lawful data processing
6. Obtain Consent for Data Processing
To comply with the GDPR, businesses must assess how they seek, manage, and record consent. They also need to tackle the other five legal grounds, such as lawful data processing and legitimate interests as a legal basis for processing.
According to the new data protection law, consent needs to be clear, specific, informed, and freely given. It also has to be verifiable. Individuals have the right to withdraw consent at any time.
- Review your existing processes to obtain consent.
- Define opt-in status for all contacts.
- Assess your existing database. Determine whether or not the data subjects have given their consent for the processing of personal information.
- Before launching new campaigns, make sure your marketing efforts are compliant to the GDPR.
- Link to your updated privacy page from all subscription forms.
- Make sure all forms on your site include explicit opt-in.
- Provide clear ways to unsubscribe and withdraw consent.
- Do not make consent a precondition of a service.
7. Manage Information Requests
Once the GDPR comes into effect, organizations will be required to respond to any requests for information within one month.
- Set up a landing page for information request.
- Provide options for individuals to have data updated or deleted upon request.
- Make it easy for customers to manage their email subscription.
- Review each request manually and reply within a month.
8. Prepare for Security Breaches
One of the GDPR key points is data security. No matter your business size or type, it's mandatory to keep personal data safe and report security breaches within 72 hours.
- Develop a plan for handling security breaches.
- Implement an adequate level of encryption on all company devices.
- Consider using two-factor authentication for all employees.
- Make sure your IT infrastructure is secure. Check for high-risk areas and fix them.
- Whether you’re switching to new systems or upgrading existing systems, privacy should be built in by design.
- All files, servers, and computers should be locked away from unauthorized use.
9. Beware of Special GDPR Requirements
The EU General Data Protection Regulation states that any business providing digital services to children must verify their age and obtain parent or guardian consent for processing their data. Only children aged 16 or older have the right to lawfully give consent.
- Make sure you have the systems in place to verify a person’s age.
- Always obtain guardian or parental consent before processing children's data.
- Any privacy notices addressed to children must be child-friendly.
10. Appoint a DPO
Organizations that process special categories of personal data, such as those related to criminal offenses and convictions, must appoint a Data Protection Officer. The same applies to public authorities and companies that process large amounts of data.
Even if you don’t fall into these categories, a DPO can ensure data protection compliance within your organization. His role is to manage and monitor both the data and processes necessary to achieve compliance.
- Determine whether or not you are required to appoint a DPO. The individual who will fulfill this role may be an external service provider or a staff member. He will report to the highest level of management.
- If you don't need one, make sure someone within the organization is responsible for data protection.
- Provide the DPO with appropriate resources to carry out his tasks.