HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

“To-do List” for GDPR Compliance

The goal of this short piece is to help organizations, companies or businesses that collect, process or store personal data of “data subjects” located in the EU start a GDPR To Do List. This list should permit such entities to take initial steps in order to comply with GDPR. Please note that this is not intended to be a comprehensive guide, more a few “rules of thumb” to take into account in order to get started.

Preparing a GDPR To Do List

Although the impact of the General Data Protection Regulation (GDPR) has been largely known since it was agreed in 2016, it seems that few organizations have prepared a GDPR To Do List. According to ‘Spice Works’, just one year before the implementation date of the 25th May 2018, only 2% of Information Technology professionals surveyed throughout the European Union believed that their company or business was properly prepared for GDPR. A similar figure applied to IT professionals in the USA, and the figure for their UK counterparts was only marginally higher, at 5%. Simply put, this statistic is a cause for concern given that correct compliance is a necessity for organizations that wish to avoid fines and other penalties.

In order to comply with the GDPR, organizations should begin by ensuring that the following actions are taken:

Inform yourself about the GDPR

The majority of business people possess some knowledge about the GDPR. The most obvious thing about the GDPR is that it will replace the Data Protective Directive (DPD). The difference between an EU Regulation and an EU directive means the new law will improve uniformity about how personal data is managed across the entire European Union.

Under the GDPR, individuals will possess greater control over how their personal data is used. This is applicable to every “data subject” – usually defined as a person who is within a member state of the European Union at the time their personal information is obtained. Data subjects have the right to know what data is maintained about them, correct incomplete or inaccurate data, and request the data is erased (save for a small number of specific circumstances). It is important to note that companies throughout the entire world will be impacted by GDPR, and not only those based within the EU. Any organization that collects, processes or stores the personal data of data subjects are obliged to respect the new regulation.

Companies and businesses must ensure their employees are briefed on the GDPR To Do List and a GDPR training course should be provided covering how the directive affects the way organizations deal with data.

Perform an audit of stored data

As soon an organization has compiled a GDPR To Do List, it must carry out an audit of the personal data that it presently holds. It should take the following into account:

  • What type of data is held?
  • In what location is the data held?
  • Who is in charge of managing the data?
  • For what purpose is the data used?
  • Is retention of data still necessary?
  • What security measures are is place to protect the data?
  • Can the data be accessed and furnished to the individual concerned should they make a System Access Request (SAR)?

Perhaps the key thing to consider is whether or not it is at all necessary to still retain data. The GDPR states data should be used only for the purpose it was originally obtained for. Should that purpose no longer exist, the data should be deleted or destroyed, save in circumstances where there is a legally sound reason to retain it. As a general rule, it is worth noting that the less data any particular organization holds, the less significant the impact of any data breach or misuse is likely to be.

Pinpoint risks

Any high risk data or activities should be identified. In order to do so, it is advisable that Data Protection Impact Assessments (DPIAs) be used. As soon as risks have been identified, steps to mitigate against them need to be taken. If, on the available evidence, it seems as that mitigation is impossible, the relevant Data Protection Authority (DPA) should be consulted in order to discuss how to best keep and process the data. This type of discussion, is should be noted, is anticipated to be relatively rare. That said, if circumstances arise whereby it appears that no mitigation is possible, an organization is obliged to contact the authority to discuss the issue in order to be compliant with the GDPR.


Keep a record of all compliance processes

Organizations are required to demonstrate they are GDPR compliant. For this reason it is essential to accurately document each process and procedure. An organization revealed to be non-compliant may be faced with a fine of up to €20 million, or 4% of its annual turnover (whichever is greater). In all probability the DPA will initially concentrate on addressing issues with organizations that are obviously non-compliant, it is still extremely important for every organization to have its own processes, procedures and documentation in place.

Prepare for the risk of data breaches

As soon as the GDPR has been introduced, it will become obligatory for every data breach to be reported to the relevant authority within 72 hours. It is for this reason it is essential that each organization has its own procedures in place for dealing with data breaches if and when they occur. Aside from failing to comply with the GDPR, and therefore exposing the organization to a costly fine, a lack of contingency plans might also lead to a damaged reputation. This could prove to be even more costly in the long term, should it have a significant impact on custom.

Employ an in-house Data Protection Officer (DPO)

Following activation of the GDPR, any business or organization that monitors the personal data of individuals (including IP addresses) on a significant scale will be obliged to engage the services of a DPO, in either an internal capacity or by means of an external provider. This also applies where organizations process voluminous amounts of special category data, e.g. genetic data or criminal information. Public bodies which deal with the personal data of individuals will also need to have a DPO in place.

It is very probable that, initially, there will be a lack of qualified Data Protection Officers available. That said, there is no clear definition of what qualifications a DPO is required to hold. What is necessary, however, is that a DPO be fully acquainted with what the GDPR covers, and its impact upon the business. Furthermore, they must be able to initiate and oversee the running of data protection systems and processes. It is feasible for an organization to internally recruit an existing staff member as its DPO provided that they possess the skill set required, and have received sufficient training in every aspect of the GDPR.

Development of monitoring and reporting processes

As soon as it has ensured that GDPR compliance systems are in place, an organization must also develop processes of monitoring and performance. This is so that, firstly, each organization is capable of checking at any time that its processes are functioning and fully GDPR compliant. And, secondly, because every organization must be able to demonstrate  it is compliant in the event that it be audited by the relevant Data Protection Authority. An organization can demonstrate it is compliant only if everything it does concerning data management and protection is accurately documented. Furthermore, it will need to be able to show that a functional checking regime is in place.

The importance of being prepared

As noted above DPAs will be able to impose a variety of fines for non-compliance with the GDPR. The precise amount of the various fines, aside from the maximum in each category, remains undefined. It appears that DPAs will have some flexibility when it comes to making decisions about this matter. The imposition of other sanctions will also be subject to a certain amount of leeway. What those other available sanctions will be has not yet been defined.

Despite the fact that DPAs will possess some leeway in their imposition of sanctions and fines, it is anticipated that they will discuss these questions with each other so that a level of uniformity is achieved.

Step one for any organization should be to make itself aware of the scope of the GDPR. A large number of organizations that operate worldwide appear to think GDPR does not affect them in any way. If, however, they have any role in the processing of data collected from individuals located within the European Union, they might be in for quite a shock. This does not only apply to data that has been received directly from the subject; it could also apply to data received from a third party. Getting fully informed about GDPR, and the organization´s obligations under the regulation, should be the organization´s first item on its GDPR To Do List.

After that initial item has been ticked off the GDPR To Do List, it is then a matter of assessing present data and practices, and ensuring that any data being held is being done so in compliance with the GDPR. Organizations must also enact processes and procedures in order to ensure that continuing data collection and management is GDPR compliant. The management of data must also be monitored. Risks must be identified and mitigated against. While organizations should do everything within their capabilities to guarantee the security of data, they should also be ready to report any breaches of data within 72 hours of occurrence. In order to avoid potential penalties under GDPR and protect their good reputations, organizations should ensure all of the above is in place by the 25th May 2018.

Summary: GDPR Requirements List

To summarize the initial steps an organization should take to compile a GDPR To Do List, we have compiled a GDPR Requirements List. Not each of these requirements will apply to every organization – organizations that collect, process or store personal data for its own benefit is known as a “Data Controller”. Organizations that process or store personal data on behalf of a third party should refer to the items on our GDPR requirements list tagged with “Data Processor”.

  • Has your organization compiled a list of the personal data it holds, the sources of that data, who you share the data with, what you do with it, and how long you will keep the data for? (Data Controllers/Data Processors)
  • Has your organization compiled a list of where personal data is kept and how data flows between these places? (Data Controllers/Data Processors)
  • Has your organization compiled a publicly accessible Privacy Policy, outlining all the processes related to the collection, processing and maintenance of personal data? (Data Controllers/Data Processors)
  • Does your Privacy Policy explain the lawful basis why your organization needs to collect and process personal information? (Data Controllers)
  • Has your organization conducted a risk assessment of its security mechanisms, ensured any weaknesses or vulnerabilities are addressed and trained employees to be aware of data protection? (Data Controllers/Data Processors)
  • If your organization operates outside the EU, have you appointed a representative within the EU who will be responsible for reporting data breaches to the DPA and the data subjects whose data has been breached? (Data Controllers/Data Processors)
  • For Data Controllers, has your organization put a contract in place with data processors and sub-processors to ensure you are informed of any data breaches? (Data Controllers)
  • Has your organization put mechanisms in place to allow individuals to request access to their personal information, to update or correct it as necessary, to request their data is erased or transferred to another data processor? (Data Controllers/Data Processors)
  • Does your organization always ask for specific consent before processing an individual´s information, give them the opportunity to object to personal profiling or automated decision making that could impact them, and give them the right to easily withdraw their consent? (Data Controllers)
  •  Finally in our GDPR Requirements List, does your organization have an itinerary in place for reviewing the effectiveness of your GDPR To Do List, organizational compliance, changes in handling data, and changes in your situation or legal obligations (for example conducting a DPIA for high-risk processing)? (Data Controllers/Data Processors)