A checklist for complying with GDPR
Always be prepared to comply with GDPR regulations with this handy checklist. Through a systematic approach to your data and information security, you can ensure that you follow the necessary guidelines and protect your users’ personal information. Get ready to tackle GDPR requirements with this easy and effective checklist.
- Get to know the rules
- Appoint a data controller
- Implement technical data security measures
- Develop a privacy policy
- Identify your data
- Ensure processing of personal data
- Provide documentation
- Monitor compliance
1. Get to know the rules
The basis for complying with the GDPR is to understand the legislation that applies to one. In Denmark, the Personal Data Act defines the specific guidelines for processing personal data, while the GDPR constitutes the European data protection regulation that companies in Europe must comply with. For companies operating globally, there are additional regulations to consider, such as the CCPA and UK-GDPR. Companies must have a clear understanding of the relevant legislation, e.g. GDPR. This involves identifying how the law applies to their specific activities and what obligations it imposes.
2. Appoint a data controller
A Data Protection Officer (DPO) acts as an internal representative for data protection and is tasked with ensuring that the company complies with the requirements of the Personal Data Regulation. The person is involved in all aspects of data protection and acts as the company’s contact person for the Norwegian Data Protection Authority.
Very specific rules apply to when a company must appoint a data protection officer. Read more about it here.
3. Implement technical data security measures
You should also implement security measures and policies to protect the data you collect. These can include:
- Strong passwords
- Pseudonymisation
- Encryption
- Virus protection
- Building security
- Device security
- DPIAs (Data Protection Impact Assessments)
- Policies for data deletion and disposal of paperwork
- Other policies to prevent unauthorised access to the data
- Regular updates to your systems and databases
Read more about setting up security measures here.
4. Develop a privacy policy
Next, use what you’ve learned about your data to create a detailed privacy policy that outlines what data you collect and how you will use, store, and protect it.
A simple, clear policy shows customers that you care about their privacy. It also helps satisfy regulations that require you to keep people informed about how their data is handled. Your privacy policy should:
- Tell people what kinds of data are collected, how, and why
- Show how data is processed and kept safely
- Explain users’ rights
- Be up to date
- Provide contact information
- Let people know how they can make a complaint, if needed
5. Identify your data
The first step to GDPR compliance is to identify the personal data you collect and store. This includes any personal data from customers, employees, or other individuals. Classify the data by sensitivity level. Ask:
- What type of data is it?
- What is the purpose of collecting and storing this data?
- How long have I had it?
- Who has access to it?
- Who will it be shared with?
Read more about how to find your sensitive data here.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
6. Ensure processing of personal data
In order to comply with the GDPR, it is essential to process personal data properly. By doing this, you as a company not only protect the rights of the individual, but also maintain the trust and credibility of your customers, business partners and the outside world. Read more about responsible processing of personal data.
7. Provide documentation
Keep documentation that shows the company is actively working to be compliant. This may include policies, training records and results of completed audits.
8. Monitor compliance
Finally, you should regularly monitor your compliance with GDPR to make sure you (and everyone on your team) are putting your policies into practice. You should also stay up to date on any changes to regulations that affect your company, then ensure your processes continue to be in line with new requirements.
Need help on GDPR?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
An incomplete checklist
The fact is, there is no such thing as a perfect, foolproof GDPR checklist. All businesses and their data collection activities are different. Further, the GDPR itself deliberately uses ambiguous and open-ended language, for several reasons:
- Personal data has a broad definition.
- The types of personal data companies collect will vary.
- The roles and responsibilities of your company as a data controller may change.
- Appropriate security measures and technology can change.
- New security threats may emerge.
This ambiguity in regulations and the constantly evolving world we work in both make it impossible to create a GDPR checklist that can guarantee compliance. However, that is not an excuse to sit back, do nothing, and just hope for the best. Take action. Start with the steps above. Going through them carefully will certainly put you ahead of the game and on the right track for compliance.
Do you need more help to comply with GDPR?
In Safe Online, we create SaaS solutions that make it easier to comply with GDPR. See our solutions here:
DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →
