GDPR Compliance Checklist: assess your personal data management

While the value of consumers’ personal data keeps increasing, the exposure to organizations collecting their information for business purposes is also increasing, especially considering the day-to-day presence of new technologies and the Internet.   

The new reality in which we find ourselves after the COVID-19 pandemic has given way to more channels than ever through which we communicate and an expanded scope of interactions with companies through different devices: landlines, mobile lines, SMS, video conferencing, digital messaging… And because of this increase in the number of channels through which we communicate with companies, there has been more widespread use of personal data. This has given rise, in turn, to the emergence of many regulations that seek to control the use made of our personal data.  

In general, the fundamental objective of these recent regulations and business directives, together with other laws and codes of conduct at the country level, is to protect customers and their personal data, prevent fraud, store consent and ensure transparency in the use of this data. Companies that do not comply with the requirements can face penalties for non-compliance, severe sanctions, and reputational damage.  

One of the major data protection regulations is the General Data Protection Regulation (GDPR) and below we tell you, what it is and what aspects must be considered to comply with it.  

<<< Learn more about Compliance and how Recordia helps you >>>

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the privacy and security law drafted and passed by the European Union (EU), which came into force on May 25, 2018, and regulates the processing by individuals, companies, or organizations of personal data related to EU citizens. But, although it was drafted and approved by the EU, it imposes obligations on organizations everywhere, whenever they target or collect data related to EU citizens  

The GDPR represents one of the most comprehensive pieces of legislation in data regulation in recent times. It affects how companies around the world approach their strategies for external data protection (such as data security) as well as internal data access and use. It aims to give EU citizens more transparency and control over their personal data. It also modernizes and consolidates the data protection rules of the individual EU member states under the previous EU Directive into a single regulation.

GDPR Compliance Checklist 

Achieving GDPR compliance shouldn’t seem like a struggle. Therefore, we have created a GDPR Compliance Checklist that can help you protect your organization, safeguard your customers’ data, and avoid costly fines for non-compliance.  Although this checklist is far from being an exhaustive legal document, it will help you get an idea of how to overcome GDPR compliance. Are you ready to comply with this regulation? Check it out below.

Explicit consent record:

To comply with the GDPR, companies must keep a record of consent, and this consent cannot be implied as it arises before this regulation. That is, companies must obtain consent explicitly and only after informing the caller of the reason. This consent must comply with the following points: 

• Consent is freely given, specific, informed and unambiguous.  
• Consent requests are “clearly distinguishable from other matters” and are presented in “clear and plain language“.  
• Interested individuals may withdraw previously given consent whenever they wish to do so, and their decision must be respected.   
• Children under the age of 13 can only give consent with parental permission.  
• You retain the documentary proof of consent.  
• When you update your privacy policy, you inform existing customers. 

Legal basis and transparency:

The following points must comply at this level: 

• You perform an information audit to determine what information you process and who has access to it. Organizations that have at least 250 employees or perform high-risk data processing must maintain an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request. The best way to demonstrate compliance with the GDPR is through a data protection impact assessment. 
• You have a legal justification for your data processing activities. It is only valid when the processing is necessary for:  
  • Comply with a contract.   
  • Satisfy legal requirements.   
  • Protect the interests of one or more participants.   
  • For security or the data is in the public interest.   
  • Responds to the legitimate interests of the registrar, provided that those interests are not overridden by the interests of data subjects that require protection of personal data.  
• You provide clear information about the processing of their data and the legal justification in your privacy policy. You should tell customers that you are collecting their data and why, as well as explain how it is processed, who has access to it and how you keep it secure. This information should be included in your privacy policy and provided to data subjects at the time you collect their data. It should be presented “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” 

Data security:

The following points must be complied with: 

• Personal data is stored securely, and appropriate security controls are implemented to prevent any unauthorized persons from accessing stored personal data.   
• Personal data is encrypted, pseudonymized or anonymized whenever possible.  
• You conduct a data protection impact assessment whenever you plan to use individuals’ data in a way that is likely to result in a high risk to their rights and freedoms.  
• You have a formal process implemented to notify the authorities (within 72 hours) and your data subjects in the event of a data breach. 

Responsibility and management:

The following points must be complied with:  

• Your company has appointed a Data Protection Officer (DPO) if it is necessary, where processing is carried out by a public authority, the processing is the core business of a large-scale organization or special category data is processed.  
• You train staff to be aware of data protection.  
• A data processing agreement is signed between your organization and any third-party processing personal data on your behalf.  
• If your organization is outside the EU, you appoint a representative within one of the EU members’ states. 

Privacy rights:

The following points must be complied with: 

• It’s easy for your customers to request access to their personal information. 
• It is easy for your customers to update their own personal information to keep it accurate. 
• The deletion of data that is no longer needed is automated. 
• It’s easy for your customers to request to stop processing their data. 
• It’s easy for your customers to request to have their personal data deleted.  
• It is easy for your customers to request to have their data transferred to them or to a third party.  
• It is easy for your customers to object to you processing their data. 

If you want to learn more about compliance and GDPR, click here.

Find below the document where you can check each of these conditions and get an idea of whether you comply with the GDPR.

See you soon!