What is the GDPR?
Enacted in May 2018, the General Data Protection Regulation (GDPR) is the European Union’s latest data privacy and security law. The GDPR establishes data protection as a fundamental right to UK & EU based users and includes numerous protections covering the use, storage, confidentiality, and transfer of personal data. The fines for violating the GDPR are severe, maxing out at €20 million or 4% of global revenue (whichever is higher).
Do you sell goods or service in the EU or UK?
Do you sell goods or services to EU businesses, consumers, or both?
Do you have employees in the EU or UK?
Do persons from the EU or UK visit your website?
Do you monitor the behavior of persons within the EU?
Identify and document every system (i.e. database, application, or vendor) which stores or processes EU or UK based personally identifiable information (PII)
Document the retention periods for PII in each system
Determine whether you collect, store, or process “special categories” of data
Determine whether your Data Map meets the requirements for Records of Processing Activities (Art. 30).
Determine whether your Data Map includes the following information about processing activities carried out by vendors on your behalf.
For each category of data and system/application have you determined the lawful basis for processing based on one of the following conditions?
Review all customer contracts to determine that they have appropriate contract language (i.e. Data Protection Addendums with Standard Contractual Clauses)
Review all in-scope vendor contracts to determine that they have appropriate contract language (i.e. Data Protection Addendums with Standard Contractual Clauses)
Do your agreements cover the following items?
Have you performed a risk assessment on vendors who are processing your PII?
Is your data processing taking into account the nature, scope, context, and purposes of the processing, likely to result in a high risk to the rights and freedoms of natural persons?
Does your processing involve any of the following?
Does the notice to the data subject include the following items?
Does the notice also include the following items?
Do you have a mechanism for persons to change or withdraw consent?
Update internal privacy notices for EU employees
Determine if you need to appoint a Data Protection Officer, and appoint one if needed.
Have you determined whether or not you must designate a Data Protection Officer (DPO) based on one of the following conditions (Art. 37)?
If you transfer, store, or process data outside the EU or UK, have you identified your legal basis for the data transfer (note: most likely covered by the Standard Contractual Clauses) 3
Have you performed and documented a Transfer Impact Assessment (TIA)?
Do you have a defined process for timely response to Data Subject Access Requests (DSAR) (i.e. requests for information, modification or deletion of PII)?
Are you able to provide the subject information in a concise, transparent, intelligible and easily accessible form, using clear and plain language?
Do you have a process for correcting or deleting data when requested?
Do you have an internal policy regarding a Compelled Disclosure from Law Enforcement?
Have you appointed an EU Representative or determined that an EU Representative is not needed based on one of the following conditions?
Do you operate in more than one EU state?
If so, have you designated the Supervisory Authority of the main establishment to act as your Lead Supervisory Authority?
Have you provided appropriate Security Awareness and Privacy training to your staff?
Have you created and implemented an Incident Response Plan which included procedures for reporting a breach to EU and UK Data Subjects as well as appropriate Data Authorities?
Do breach reporting policies comply with all prescribed timelines and include all recipients i.e. authorities, controllers, and data subjects?
Have you implemented encryption of PII at rest and in transit?
Have you implemented pseudonymization?
Have you implemented appropriate physical security controls?
Have you implemented information security policies and procedures?
Can you access EU or UK PII data in the clear?
Do your technical and organizational measure ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed?