GDPR Compliance Requirements: A Comprehensive Checklist
by Audrey Oh
The General Data Protection Regulation (GDPR) came into force on May 25 2018. It is one of the most significant changes in data privacy regulation in over 20 years and replaces the previous 1995 data protection directive. GDPR changes the way businesses and other organisations are allowed to store and handle personal information and gives individuals greater rights over how their data is used. Any piece of information that could identify an individual is protected by the regulation.
In recent years, there have been a string of massive data breaches to hit the headlines, including the Yahoo breach, which affected three billion accounts. Consumers are becoming more wary of providing personal information, which means that companies must prove themselves trustworthy if they want to see continued business growth. Our comprehensive checklist to GPDR compliance requirements provides guidance to help businesses operate ethically, legally and successfully.
Establish Accountability
Make sure that everyone in the company is on board with GDPR and that responsibilities for ensuring compliance have been allocated to specific staff members. If there is a breach, it is important that the company can be held to account. To ensure ongoing compliance, all staff must understand the requirements of GDPR and their responsibility to adhere to it. Check that the key-decision members are on board and implement company-wide training.
Appoint a project manager to oversee the integration of GDPR compliance. This will save time and money in the long run and ensure the job gets done effectively. Avoid appointing this task as an additional responsibility for an existing member of staff. A professional project manager will be able to effectively plan the project and take into consideration the implications of Brexit among other factors. In some circumstances, a business will be required to appoint a designated Data Protection Officer (DPO). The Information Commissioner’s Office (ICO) provides a useful guide outlining when a company must do so.
Businesses should be able to show that there are processes in place to report data breaches to the local authority and those affected. There should also be contracts between the company and any data processors that information is shared with, including hosting providers, for example.
Know Your Data
A business will struggle to put a system in place to protect data without having a good understanding of the data being held. Audit your data and list records that could be deemed personal information under GDPR guidelines. Under GDPR, “personal information” refers to any data relating to a person, directly or indirectly. This is a broader interpretation than the American counterpart — “Personal Identifiable Information” or “PII” — so take care to comply with the regulations that are relevant to your business and the areas you operate in.
In addition to defining the type of data being held, an audit should review where and how it is stored, how it is processed, who has access to it and what the company privacy policy covers.
The regulation also requires businesses to produce records of data-processing activities. There are several GDPR data mapping tools that can help businesses with this process, many of which are free.
Assess the Current Security Status of the Business
A risk-based approach to data processing is at the core of GDPR compliance requirements. All businesses should conduct a thorough risk assessment and identify any potential threats to security. You should use your record of data-processing activities created in step one of this checklist to flag any potential risks. After identifying them, you must evaluate each risk and develop a strategy for controlling and minimising them.
You can also use gap analysis to identify any gaps in existing workflows that could lead to data breaches. Once you’ve observed a gap, formulate a plan of action for addressing it and set a firm timeline.
Use Knowledge of PCI DSS Compliance
PCI DSS (Payment Card Industry Data Security Standard) is separate from GDPR, but both have the same aims and were introduced to ensure that organisations adequately protect personal information. The former relates to card payments and the latter to personal data. If a company has already worked to achieve PCI DSS compliance, introducing GDPR compliance will be much simpler. Processes required under PCI DSS, such as annual reviews of cardholder data, can provide an initial framework for recommended GDPR measures. Much of the work required to achieve GDPR compliance may already have been done!
So You’re GDPR Compliant? Great! Now Keep Going
GDPR should not be viewed as a box to tick off and forget about. Compliance requires ongoing monitoring, auditing and amending of planned actions. Set a schedule for regular audits and keep data processing records up to date. Technology will never stand still, so new threats to the security of personal information held by your company could arise at any time. Stay vigilant and not only will you safeguard your business against costly fines, but your customers will also thank you for it. Customers who trust a company are much more likely to remain loyal and bring new customers with them.
Are you committed to protecting your customers’ personal data? Find out more about Callstream’s PCI DSS compliant software for secure phone payments.