May 25, 2018, is set as the deadline for companies to comply with the EU’s General Data Protection Regulation, which is designed to unify data protection regulations in all EU Member States. It or pay a fine of up to EUR 20 million or 4% of the company’s global revenue, whichever is greater and the magnitude of the infringement. Focusing on personal data should continue to drive your entire GDPR strategy, policy, and technical decisions.
GDPR checklist to get started with
We at Rule want to help you get started with your GDPR strategy, if you have not already done so, by compiling a checklist for you:
1. Review your data
Take a comprehensive look at all your data. Evaluate the type of data you have, how sensitive it is, where it is kept, and how you process it. Make sure you and your team understand the difference between the structured and unstructured data that you currently handle.
- Do you have a customer register?
- Do you send out newsletters or any other type of marketing to your customers?
- Do you have any kind of booking system where customers can book with you?
- Do you have a register of your suppliers?
- Have you decided how long information about your customers, suppliers, and employees is stored?
- Do you protect the information about your customers, suppliers, and employees?
Do you want to dive deeper into the GDPR and all the associated rules? Read more about how companies should handle personal data by the GDPR.
2. Define your processes and document
Once you have looked at the data that your organization handles, it is probably safe to assume that you handle a certain amount of sensitive data. With that in mind, your next step will be to define the processes and routines around how you handle that data. Each time you process personal data manually or in a system, certain risks may be involved. Therefore, it is wise to have complete GDPR-compliant routines to be able to analyze all activities related to personal data. Feel free to draw and map so that you can more easily have a clear overview while you define your processes and document them.
- What personal information do we have?
- How do we handle it?
- What legal rights do we rely on in different proceedings?
- Who has access to personal data?
- When do we remove them?
- Do we document how we think and how we handle our customer data?
3. Ensure handling in the EU
Another thing that is good to ask yourself is:
Can you as a company define who has access to the folders with personal data that you sit on and create a protocol for how these files are shared internally and externally? An important and current thing to keep in mind is third-country transfers. This means that when sending documents containing personal data via e-mail to someone in a country outside the EU, you must be aware that that supplier complies with the Data Protection Regulation.
It is easy to trust that your own company handles all personal data within the EU correctly. But the same rules apply even if your company has hired subcontractors. You must have complete control over who has access to what information.
A structure that works right now – so you save time in the future. Read more about GDPR outside the EU and why all US providers can no longer handle personal data according to GDPR.
4. Implement your processes and documentation
Everything you have identified and sketched in steps 1-3 is crucial in the implementation phase. When it comes to implementing your new or improved processes and procedures, we recommend that you hire a Data Protection Officer (DPO), even if it may not seem necessary. Investing in a DPO can be a great choice as it provides you with a dedicated resource whose sole job is to keep your business compatible from top to bottom.
5. Write a “Data Protection Policy”
Checklist of what a data protection policy should include:
- There must be support in the Data Protection Ordinance to be allowed to process personal data
- Only collect personal information for specific purposes.
- Do not process more personal data than is necessary.
- Make sure that the personal information is correct.
- Delete personal information when it is no longer needed.
- You must be able to show that you live up to the Data Protection Ordinance and how you do it.
6. Create a monitoring system - train your employees
- Notify your company’s decision-makers and employees of upcoming changes.
- Update or change your agreements with business partners, suppliers, and subcontractors.
- If you work with suppliers outside the EU, you must check that they are GDPR compliant.
- Ensure that all agreements with third parties include protection against GDPR-related risks.
- Organize GDPR workshops for sales and marketing departments.
7. Plan for the "worst-case" scenario
If your company is in the middle of a crime, we suggest that you set up a plan for proper communication, as well as preventive action courses that your company can try to take. Although not every violation needs to be reported, the best way to treat all crimes is of equal importance and to be well prepared for even the worst cases.
Use our GDPR checklist
While the new GDPR involves several changes and the transition creates a significant amount of extra work for organizations, it is good. The new GDPR holds us responsible for how we process and handle sensitive information and makes ourselves and the people we do business with more security in the digital world we live in – not only today but also in the future.
Hopefully, this data protection regulation checklist will help your organization in the transition, whether you are just getting started or already on the go!
Do you need help with your GDPR strategy? Contact Us! Do not yet have a Rule account and want to get started with digital communication? Get started for free!