9-Step GDPR Compliance Checklist
A GDPR compliance checklist is a list of actions that can help an organization achieve compliance with the General Data Protection Regulation (GDPR). The GDPR is a comprehensive data protection law that came into effect on May 25, 2018, which was enacted by the European Union (EU) to give individuals more control over their personal data.
The GDPR applies to any organization that does business in an EU country, even if the organization is not based in the EU. Under the GDPR, personal data includes any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. This can be anything from a name, a photo, an email address, bank details, location details, medical information, or a computer IP address.
There are strict rules about how personal data can be processed, and organizations must ensure that they collect, use, and store personal data securely and transparently. The regulation grants individuals significant rights over their personal data, including the right to access, correct, delete, or transfer their data, and the right to withdraw consent for its use.
We’ll provide a simple, 10-step checklist you can use to improve your organization’s GDPR compliance.
Related content: This is part of an extensive series of guides about GDPR compliance.
Who needs to comply with GDPR?
While GDPR was enacted by the EU, its reach is global. Any business, regardless of its location, that processes the personal data of EU citizens must comply with GDPR. This includes multinational corporations that have a presence in the EU, as well as small and medium-sized enterprises that offer goods or services to EU residents or monitor their behavior.
Moreover, businesses that utilize third-party services to process personal data on their behalf are also required to comply. This means that even if your business doesn’t directly handle personal data, but uses services like cloud storage providers, email marketing platforms, or customer relationship management (CRM) systems that do, you must ensure these services are GDPR compliant.
Non-compliance can lead to severe penalties, including fines of up to €20 million or 4% of the company’s global annual turnover, whichever is higher. In addition to direct fines, non-compliance can damage a company’s reputation, leading to a loss of customer trust and potential business opportunities. Therefore, understanding and complying with the GDPR should be a priority for all companies that do business with EU citizens, whether physically or digitally.
9-Step Checklist for GDPR Compliance
The following checklist is not exhaustive, but it provides the most important steps you can take to ensure your business is GDPR-compliant.
1. Know all the data your business collects
Conduct a thorough audit of your data collection practices to identify what types of personal data you collect, how you collect it, where it’s stored, and who has access to it. It is important to identify what are all the systems that data flows through, and whether they are properly secured. Also identify any special data categories that might be subject to GDPR requirements.
This process may involve working across different departments within your organization, considering all the diverse ways data can be collected. This could range from customer data collected during transactions, to employee data, or data gathered from your website.
Once you’ve identified all the data you collect, you should document it in a data inventory or data map. This documentation will be critical in demonstrating your GDPR compliance to regulators, should they ever ask.
2. Appoint a Data Protection Officer (DPO)
A DPO is a critical role in ensuring GDPR compliance. The DPO is responsible for overseeing data protection strategy and implementation within your organization. They serve as the point of contact between your company and any Supervisory Authorities who oversee your data protection practices.
Not all organizations are required to appoint a DPO under the GDPR. However, even if not mandated by the regulation, it is highly recommended for all businesses that process large volumes of personal data or engage in regular and systematic monitoring of individuals and have an understanding of the DPO requirements and duties to have someone act in that capacity for the EU if a situation arises.
3. Review current privacy notices
Your privacy notices are an essential part of GDPR compliance. They must be transparent, easily accessible, and written in clear, plain language that your customers can understand. They should detail what data you collect, how you use it, who you share it with, and how long you intend to keep it.
Under the GDPR, you’re also required to inform individuals about their rights in relation to their personal data, how they can exercise those rights, and the right to lodge a complaint with a Supervisory Authority.
4. Understand the rights your users and customers have
The GDPR provides EU citizens with certain rights over their personal data. As a business, you must ensure that you have procedures in place to accommodate these rights. These might include:
- The right to be informed
- The right of access
- The right to rectification
- The right of erasure (‘right to be forgotten’)
- The right to restrict processing
- The right of data portability
- The right to object
- Rights concerning automated decision making and profiling
Understanding and implementing these rights can be challenging, but to be GDPR compliance, you’ll have to add the relevant capabilities to your customer-facing systems and data processing infrastructure.
Today in the United States, five states—California, Colorado, Connecticut, Utah and Virginia—have enacted comprehensive consumer data privacy laws along similar lines to GDPR. These rights and this compliance checklist may be equally applicable in those regions.
5. Review and Update Procedures for Submitting Requests
Under GDPR, individuals have the right to access their personal data, correct inaccuracies, object to processing, and request deletion or portability of their data. These rights necessitate businesses to have robust procedures in place for handling such requests.
If your current procedures are not up to par, it’s time to review and update them. Ensure that they are easy to understand and use, and that they can handle requests within the GDPR’s stipulated time frame of one month. Additionally, make sure your procedures can verify the identity of the individual making the request, to prevent unauthorized access to personal data (which can result in additional GDPR violations).
6. Update Existing Consent and Double Opt-In
GDPR requires businesses to obtain explicit and informed consent from individuals before processing their personal data. This means you must clearly inform individuals about why you’re collecting their data and how you intend to use it. This includes website forms, offline marketing forms, and sales forms.
If your existing consent mechanisms do not meet these requirements, you need to update them. This may involve reaching out to your existing data subjects and obtaining new consent that meets GDPR standards. Remember, under GDPR, consent can be withdrawn at any time, so make sure your procedures cater for this as well.
Another aspect of consent under the GDPR is ‘double opt-in’. This involves sending a confirmation email to the individual’s email address after they sign up. The individual must then click on a link in the email to confirm their subscription. This process provides clear evidence of consent, which is a requirement under GDPR.
7. Detect, Report, and Investigate Data Breaches
The third step in our GDPR compliance checklist is developing a robust system to detect, report, and investigate data breaches. Under GDPR, businesses must report data breaches to the relevant authority within 72 hours of becoming aware of it. They must also notify affected individuals without undue delay if the breach poses a high risk to their rights, privacy and identity, and freedoms.
To comply with these requirements, you need to have effective breach detection systems in place. You also need clear reporting procedures and a strategy for investigating and mitigating the effects of the breach. Regular testing and updating of these procedures is also essential to ensure they remain effective.
8. Be Transparent About Data Collection and Publish Your Privacy Practices
GDPR emphasizes the principle of transparency, which requires businesses to be open and honest about their data processing activities.
This means you need to clearly inform individuals about why you’re collecting their data, who it will be shared with, how long it will be stored, and how they can exercise their rights. You should also clarify how individuals and businesses can request changes to their data or opt out of having their data collected. All this information should be provided in a concise, transparent, and easily accessible form, such as a privacy notice on your website.
9. Regularly Assess All Third-Party Risks
If your business shares data with third parties or uses third-party services for data processing, you need to make sure these parties are also compliant with GDPR.
This involves conducting regular audits of your third-party vendors and updating your contracts with them to include GDPR-compliant data processing clauses. You also need to have a clear understanding of where your data is being stored and processed at all times, and ensure that appropriate safeguards are in place to protect it. Finally, make sure to document your third party data scope and make note of suspected third-party risks.
Adhering to GDPR Security Controls with Exabeam
Exabeam helps organizations meet both technological and operational requirements including:
- External Threat Reduction: Exabeam works alongside existing security solutions, using machine learning and behavioral analytics to identify unusual activity that may be indicative of a adversary’s attempt to find and access data.
- Internal Threat Reduction: Exabeam works alongside identity and access management solutions to prevent security incidents resulting from the accidental or malicious abuse of allocated permissions. By flagging activity that falls outside the norm for a given user, Exabeam helps to detect potential incidents that could lead to data theft. Ideal log sources mapped to use cases and the MITRE ATT&CKⓇ framework show which tools in the security arsenal can combine to show the clearest picture of events.
Oversight and Timely Notification: In addition to acting as a central point of intelligence in the customer’s security ecosystem, Exabeam provides forensic information about the full extent of the incident, including credentials and and accurate reporting for better compliance reporting.