• Get in Touch*

The Ultimate GDPR Compliance Checklist

lawtrades GDPR compliance checklist computer data

The new EU General Data Protection Regulation came into effect on 25 May 2018, and everyone seems to have been affected by the last-minute scramble to get ready. The sudden regulatory change means a lot of time, money, and legal uncertainty. Global behemoths like Facebook, Google, and Amazon are able to afford the small fortune it takes to ensure legal compliance with the help of consultants, advisors, and armies of attorneys and developers. But the GDPR might also apply to a small startup without those resources.

We are here to help – at least with the uncertainty. This checklist is the rundown on everything GDPR. Hopefully, that can also help you save on time and cost. There are several great resources available online – we provide links to these as we go along.

Use this checklist to determine what you need to focus on and use those linked resources for more information. This article is limited to the absolute essentials – we want you to be a GDPR expert in this 20 minute read.

1. Determine whether you have to comply with GDPR requirements

Determining whether or not you have to comply with the GDPR depends on three questions:

Question 1:Do you process personal data?

If your answer is no: You have nothing to worry about – the GDPR will not affect you.
If your answer is yes: You might have to comply with GDPR requirements, depending on your answers to questions 2 and 3.

Question 2: Is your company established within the EU?

If your answer is no: You might have to comply with the GDPR (depending on your answer to question 3)
If your answer is yes: You are definitely bound by the GDPR – you can skip question 3.

Question 3: Do you intend to sell goods or services to persons who are in the European Union, even though your company is not established within the EU?

If your answer is no: You have nothing to worry about – the GDPR will not affect you.
If your answer is yes: You have to comply with the GDPR.

How To Determine Whether Your Answer To These Questions Should be Yes or No

As is always the case with extensive legal regulation, the devil tends to be in the detail. If you are a bit uncertain as to the correct answers to the three questions above, here are some additional definitions and guidance that can help:

  • Personal data refers to: “any information relating to an identified or identifiable person”. This includes, but is not limited to: avatars and profile pictures, email addresses, phone numbers, residential addresses, social media profile URLs, biometric data (think of, for example, fingerprints captured by some smartphones or Iphone X’s facial recognition), device names, passport and identity/social security numbers, driver’s licenses, ID photos, posts on social media, bank account and payment information… the list is potentially infinite.
  • Processing refers to: “any operation or set of operations which is performed on personal data or sets of personal data including accessing, collecting, organizing, structuring, storing, altering, retrieving, disclosing and deleting.”
  • Whether or not you have the intention to sell goods and services to persons in the EU will be somewhat context dependent. It is important to note that the relevant provision of the GDPR, Recital 23, explicitly states that you can be targeting EU residents even if what you are doing is unconnected to payment. Regulators will look toward the languages that your content is in, whether you accept payments in euros, whether you mention customers or users who are in the EU, and any other factor that could indicate your intention to sell to, or monitor the behavior of, consumers in the EU.

At this point, you should know whether or not the GDPR requirements apply to you. Let’s move on to everything you need to know about GDPR compliance.

2.Determine in which capacity you process data

For each type of personal data that you process, the GDPR classifies you as either (1) the data controller, or (2) the data processor. Whether you are the controller or the processor will determine the extent of your obligations under the GDPR requirements.

Data Controllers

The data controller is the person (or company) that determines the purposes for which, and the way in which, personal data is processed. In the case of electronic payments, if you have direct relationship with the client (you use Stripe, for example), you are a data controller with respect to the personal data of that client.

Data Processors

The data processor is anyone who processes data on behalf of the data controller (excluding the controller’s employees, of course). In the case of electronic payments, if a company is acting as a reseller of your goods/services, you will only be a data processor with respect to personal data relating to the payments.

What does this mean?

You will probably be a data controller with respect to some of the personal data that you process, and a data processor with respect to others. Whether or not you are a data controller or a data processor determines the extent of your obligations under the GDPR, so it might be a good idea to clearly define the data for which you are a controller, and the data for which you are a processor.

If you are a data controller, you will have to comply with every item on this checklist. If you are a data processor, some of the items will not apply to you (we’ve added notes to indicate where).

3. Re-read the Terms of Service

GDPR Article 28 determines that the relationship between a data controller and a processor must be governed by a written contract (terms of service). This contract must cover, amongst other things

  • The nature and purpose of personal data processing
  • The obligations and rights of the data controller
  • The types of personal data and types of data subjects covered by the agreement
    Confidentiality obligations

Whether you are a data controller or a data processor, it is a good idea to review your contracts with any controllers/processors that you work with. Most of the larger companies have already updated their terms of service to be GDPR complaint, but it is a very good idea to do your own compliance check. Everything you’d need to know about ensuring contracts between processors and controllers are compliant can be found here.

4. Determine whether you process sensitive personal data, children’s data or criminal record information

The GDPR defines sensitive personal data as data pertaining to the following:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data and biometric data
  • Health data
  • Sex life and sexual orientation

If you process any of these categories of data, or/and children’s data or/and criminal record information, you face additional rules for the processing of this data. If you do not process any of this data, you can skip this next part and move directly to checklist item 5.

I do process sensitive personal data. Now what?

If you process sensitive personal data, you will have to ensure that you comply with specific requirements over and above the GDPR requirements for other personal data. Everything you need to know is contained in Article 9.

  • Some of the most important provisions to keep in mind is that you will only be able to process sensitive personal data if:
  • You have explicit consent from the data subject for the processing of the data for specified purposes
  • You have to process the data to carry out the obligations and exercising the rights of the data controller
  • You have to process the data to protect the vital interest of the data subject of another natural person
  • You have to process the data for the establishment, exercise, or defence of legal claims

These are only four of the 10 possible justifications for processing sensitive personal data – many of them relate to (somewhat unlikely) scenarios of public interest protection. Have a look at the complete list, and make sure you are allowed to process any sensitive personal data that you have.

5. Ensure that you process personal data lawfully, fairly, and transparently.

The first principle that the GDPR requires is that all personal data must be processed lawfully, fairly, and transparently. This can sound like a mouthful, but complying is as easy as 1-2-3.

1. Establish a lawful basis for which you are processing the data

For each and every piece of data that you process, you need to be able to prove a lawful basis. This can be any of the following:

  • You have the individual’s consent to process the data
  • You need to process the data for the performance of a contract
  • You need to process the data to comply with a legal obligation
  • You need to process the data to protect the vital interest of the data subject or another natural person
  • You need to process the data for the performance of a task carried out in the public interest or in the exercise of official authority
  • You need to process the data for purposes of legitimate interests pursued by the controller or a third party

You can rely on a different lawful basis for each type or category of data that you process.

2. If you are relying on consent, you have to be able to prove consent

If you are relying on consent as the legal basis for your data processing, be sure that you can prove consent. For this you might have to gather data of when users opted in for your service/communication (you can store the opt-in IP and date). In some cases, and only if you will contact users exclusively about products and services, you might be able to use a “soft opt-in” (that is: provide the option of an opt-out and construe users’ refusal to opt out as consent). The ICO explains this in more detail.

If you do not have proof of consent, you will have to ask all users to re-subscribe and delete the information of everyone who does not re-subscribe. (If you need the records and you do not want to delete them entirely, you can anonymize it – if it isn’t linked to a natural person, it is not personal data).

In the case of collecting data for purposes other than marketing communication, you might also need consent. If you are a SaaS company, you might be able to use process personal data without consent because you can rely on the fact that you need the data to perform in terms of your contract.

Long story short: be sure to know exactly what the legal basis is for each of the categories and types of personal data that you process. And if that basis is consent, ensure that you can prove it.

3. Complying with the “fairness” and “transparency” requirements

The first principle of the GDPR also requires fairness and transparency. Update your and simplify your privacy policy. Individuals have the right to know upfront how you are processing their data. GDPR Articles 12, 13 and 14 cover the requirements for a GDPR compliant privacy policy. Refer to the ICO’s useful summary of the various requirements.

6. Ensure that data is minimized and collected for a specific purpose

The GDPR’s second and third principles sets out the obligation on data processors and controllers to only keep data for a specific purpose, and only to the extent that is necessary.

More specifically, data needs to be collected for “specific, explicit, and legitimate” purposes; and data needs to be “adequate, relevant, and limited to what is necessary”. Here are two easy steps to comply:

1. Decide whether you really need all the data you are collecting, and for how long

Have a look at the data that you are collecting, and ensure that each piece of data has a legitimate and specific purpose. Remember: even if you have a lawful basis for processing data (checklist item 5), you are not allowed to process that data if there is no specific purpose for it. Ensure that you keep the data for no longer than is necessary for its purpose.

2. Update your sign-on form

-this will not apply if you are a data processor and not a data controller-

Many companies have developed the habit of collecting personal data upon sign-on “just in case”. Under the GDPR, this is no longer acceptable. Go through your sign-on forms to ensure you are not collecting data for which you do not have a legitimate purpose.

7. Allow users to access, edit, download, and delete personal information

-this will not apply if you are a data processor and not a data controller-

The GDPR establishes the rights of all data subjects to access, edit, download, and request deletion of personal data. Once a user is logged in, they must be able to view all their personal data, edit it, download it in an accessible format, and delete (or request deletion) of all data that is not critical to delivering a service. Ensure that all users are able to do this. Again, you can anonymize records if you do not want to delete them.

You also have to provide this right to users that have left your service (trial users, users who have disabled their accounts, etc.).

8. Take care when transferring data outside of the EU

When you transfer personal data outside of the EU, you are required to make appropriate safeguards. There are some countries which the EU have certified as having “adequate levels of protection” – if sending data to these jurisdictions, you are not bound to take the prescribed safeguards. Refer to this list of countries that have data protection adequacy.

And that, in short, is it! The scope of the GDPR is broad and there are many details that were omitted in this article – most significantly, the article did not go into the principles and rights established by the GDPR except where they impacted this practical checklist. Be sure to check out the rights and principles to have a more complete impression of the regulation and its aims.

LawTrades

At Lawtrades, we offer affordable legal coverage designed to help you pay less and run your business with confidence. Talk to a Legal Pro today to find your business the perfect lawyer for your needs and budget.

Comment

There is no comment on this post. Be the first one.