19 October 2017
Blog

GDPR Checklist: a manual to compliancy

On May 25 2018 the GDPR (General Data Protection Regulation) will come into force. When an organisation collects personal data, the person to whom these belong has to have access to their data. Not complying with the GDPR involves high fines. Fines can be up to no less than 4 percent of your total revenue, or 20 million euro. How can your organisation manage these changes? Read all about it in this GDPR checklist!

Inform & document

Inform your employees about the changes concerned with the GDPR. Also make an inventory of your data. What personal data does your organisation collect? Where is it collected? Create an overview. This also goes for any data you have collected in the past. An audit makes it possible for an organisation to gain insight into all collected data and its processing.

Register of Processing Activities & data breach notification

One of the changes that come with the GDPR is the obligation for all businesses to set up a processing register. In it, you document all personal data processes. Any data breaches also need to be registered internally, even when they are not subject to the mandatory data breach notification. When personal data have been leaked, you have a notification duty. Put a procedure in place to locate data breaches, to report them and to investigate them.

Privacy statement

As an organisation, make sure you have a privacy statement in place. This statement has to be put in understandable language. When you have a privacy statement, make sure that statement is up-to-date. When the GDPR takes effect, you will have to add extra information to your privacy statement. You will, for example, be required to put in the legal basis for data processing. When you share data outside of the EU, this is included in the privacy statement.

Personal data & data subject’s rights

The term ‘personal data’ will mean considerably more when the GDPR takes effect. Take for instance someone’s handwriting or voice. All data that could possibly lead back to a person, are included. You can only store personal data you really need. When you no longer need certain personal data, you are not allowed to keep it.

Someone whose personal data are being processed, is called a data subject or individual. The data subject’s rights will gain importance when the GDPR is enforced. This means that the data subject or individual whose personal data you are processing will be able to appeal to a number of additional rights. As a business you have to make sure that these rights can be exercised. This could mean, for instance, that you have to give data subjects access to the collected data, and enable them to correct or even delete some of it. It also has to be possible for data subjects or individuals to immediately refuse marketing strategies such as newsletters. When the GDPR is enforced, you will have to respond more quickly to requests made my individuals than before. Take the deletion of personal data, for example. The request has to be processed within 30 days.

Consent

The new rules also state that a data subject has to give their explicit consent for things such as their subscription to a newsletter. This will reduce the intrusiveness of cases such as (unwanted) newsletters.

You have to be able to prove at all times that explicit permission has been given by the data subject. Make sure you have an audit trail, to be able to prove the data subject’s consent.

Data Protection Officer

When your business processes personal data on a daily basis, you need to appoint a Data Protection Officer (DPO). This can be someone from within the organisation, or an external advisor. The Data Protection Officer monitors whether the new rules are complied with within the organisation. If it is not entirely clear whether you need to appoint a Data Protection Officer, you have to substantiate your choice for either having or not having a DPO.

Teaming up with Eshgro means you can rest assured knowing you are using a fully GDPR-compliant cloud service. Whether you are a business IT user or a service provider yourself. Do you have any questions about the GDPR? Contact us and discover how we at Eshgro help you to meet GDPR requirements and leverage cloud to grow your business.

White Paper GDPR – Prepare for the road to compliancy

White Paper GDPRStarting May 25 2018 any business in the European Economic Area (EEA) that processes personal data has to comply with the GDPR. This regulation replaces existing national legislation. The GDPR states requirements that have to be met when processing personal data. With the new regulation, the EU wants to return to her citizens the control of their personal data. There are strict conditions and the GDPR is obligatory. Violations will be heavily penalised, with the risk of high fines of up to €20,000,000 or 4% of your annual turnover! Plenty of reasons to take this seriously.

Download White Paper GDPR