The GDPR Compliance Tool checklist
Organizations are GDPR-compliant if:
- Compliance with data processing principles
- Promotes data subject rights
- Secures data
- Complies with data transfer and sharing rules
The following checklist details these requirements. Location, resources, and data processing activities will determine how an organization meets these requirements.
Digital processing principles
Companies processing personal data must follow GDPR guidelines. Principles are these.
The organization processes data legally
GDPR specifies when companies can legally process personal data. Before collecting data, an organization must prove its legality. When collecting data, the company must inform users of this basis. It needs user consent to change the basis afterward.
Legal grounds may include:
- Organization has subject consent to process data. Only informed, affirmative, and freely given user consent is valid.
- The company must disclose what data it collects and how it will use it to obtain informed consent.
- User affirmative consent requires signing a statement or checking a box. Permission cannot be default.
- A company that gives free consent does not coerce the data subject. The subject must have the right to withdraw consent.
- To sign a contract with the data subject or on their behalf, the organization must process the data.
- The organization must process data legally.
- Organizations must process data to protect data subjects or others.
- For journalism or public health, the organization processes data.
- Public authorities process data for official purposes.
- The company processes data for a legitimate purpose.
- By processing data, the controller or another party may gain a legitimate interest. Example: employee background checks or corporate network IP address tracking for cybersecurity. The organization must demonstrate that the processing is necessary and does not violate subjects’ rights to claim legitimate interest.
The organization only collects and uses data for a specific purpose
Under GDPR purpose limitation, controllers must have a documented reason for collecting data. The controller must tell users this purpose at collection and can only use the data for this purpose.
Only necessary data is collected by the organization.
Controllers can collect only the data needed for their purpose.
Their data is accurate and current
Controllers must reasonably ensure personally identifiable data is accurate and current.
Unneeded data is deleted by the company
Data retention and deletion are strictly regulated by GDPR. Companies must delete data after being used for its intended purpose.
The organization handles children’s and special category data with extra care
Controllers and processors must protect certain personal data.
Biometrics and race are sensitive special category data. Only to prevent serious public health threats can organizations process special category data. Companies can process special category data with explicit consent.
Criminal conviction data is only public authority-controlled. Public authorities must direct processors to process this data.
Controllers must get parental consent before processing kids’ data. Subject ages and parent identities must be verified reasonably. Data controllers must use child-friendly privacy notices when collecting data.
Under GDPR, each EEA state defines “child” differently. These are “anyone under 13” to “anyone under 16.”
A company records all data processing
Data processing records are required for companies over 250 employees. If they process highly sensitive data, regularly, or in a way that puts data subjects at risk, organizations with fewer than 250 employees must keep records.
Controllers must record data collection, use, flow maps, and safeguards. Processors must record their controllers, processing types, and security controls.
Compliance is the controller’s responsibility
Data controllers are responsible for GDPR compliance. The controller must ensure and prove that its third-party processors meet GDPR requirements.
Rights of data subjects
Individuals have data rights under the GDPR. Controllers and processors must respect rights.
This organization makes data subjects’ rights easy to exercise
Data subjects must have a simple way to assert their data rights. Among these rights:
- Right to access: Subjects must be able to request and receive copies of their data and information about how the company uses it.
- Subjects have the right to correct or update their data.
- Data must be deleted at the subject’s request.
- If subjects suspect their data is inaccurate, unnecessary, or misused, they must be able to restrict processing.
- Subjects must be able to object to processing. Consent must be easy to revoke.
- Controllers and processors must help subjects transfer their data.
Organizations must respond to data subject access requests within 30 days. Unless it has a compelling reason not to, companies must comply with subjects’ requests.
Organizations must justify request rejections. The company must inform the subject how to appeal the decision to its data protection officer or supervisory authority.
It lets data subjects challenge automated decisions
GDPR data subjects have the right to opt out of automated decision-making processes that could affect them. Profiles, which the GDPR defines as automated assessments of a person’s work performance, are included.
An organization must allow data subjects to challenge automated decisions. The subjects can also request a human employee review automated decisions that affect them.
The company uses personal data transparently
Data controllers and processors must proactively and clearly inform data subjects about their data collection, use, and rights.
Subjects must receive a privacy notice during data collection. The company must send privacy notices to subjects within a month if it does not collect personal data directly. Companies’ websites may also include these details in privacy policies.
Data security and privacy
The GDPR requires controllers and processors to protect data subjects and prevent data misuse.
The company has cybersecurity controls
To safeguard personal data, controllers and processors must implement security measures. While the GDPR does not require specific controls, companies must take technical and organizational measures.
Technology solutions include IAM platforms, automated backups, and data security tools. GDPR recommends pseudonymization and anonymization whenever possible, but it does not require data encryption.
Security policies, risk assessments, and employee training are organizational measures. When designing or implementing new systems and products, companies must protect data by design and default.
The company performs required DPIAs
A data protection impact assessment is required before a company processes data that puts subjects’ rights at risk. Examples of DPIA-triggering processing include automated profiling and large-scale processing of special categories of personal data.
Data, intended processing, and purpose must be described in a DPIA. It must identify processing risks and mitigation methods. Before proceeding with significant unmitigated risk, the organization must consult a supervisor.
If needed, the company has a DPO
If it processes special category data or monitors subjects extensively, a company must hire a DPO. DPOs must be appointed by all public agencies.
The DPO ensures GDPR compliance. Coordinate with data protection authorities, advise on GDPR, and manage DPIAs.
DPOs must be independent and report to top management. Organizations cannot retaliate against DPOs for their work.
Organizations notify supervisory authorities and data subjects of data breaches
Most personal data breaches must be reported to supervisory authorities within 72 hours. The organization must notify data subjects if the breach is risky. Organizations must notify subjects directly unless direct communication is unreasonable, then make a public notice.
Processors must notify controllers immediately of breaches.
The organization has an EEA representative if outside the EEA
Any non-EEA company that processes EEA residents’ data or sensitive data must appoint an EEA representative. The representative represents the company with government authorities and handles GDPR compliance.
Sharing and transferring data
The GDPR regulates how companies in and out of the EEA share personal data.
Organizations govern processor relationships with formal data processing agreements.
Controllers can share personal data with processors and other third parties under data processing agreements. These agreements must outline all parties’ GDPR rights and responsibilities.
Data can only be processed by third-party processors per controller instructions. Controller data cannot be used for personal gain. Processors must get controller approval before sharing data with sub processors.
The organization only transfers approved data outside the EEA
The following criteria must be met for a controller to share data with a third party outside the EEA:
- The European Commission considers the third party’s data privacy laws adequate.
- European Commission says third party has adequate data protection policies and controls.
- The controller took all necessary steps to protect transferred data.
Find GDPR compliance solutions
As an organization collects and processes new data, its GDPR compliance requirements may change.
IBM Security Guardium can simplify GDPR compliance. Guardium can automatically find GDPR-regulated data, enforce compliance rules, monitor data usage, and help organizations respond to data security threats.