European Union’s General Data Protection Regulation (GDPR) To-Do List
1. Prepare a data map, which is a report on what personal data the company processes throughout its organization, where that data flows throughout the organization, where it is stored, who within the organization is responsible for it, what it is used for, and with whom is it shared. This includes both personal data of the company’s employees and other personnel, as well as personal data of customers, clients, client representatives and other data subjects. The data map should also identify any “special categories” of personal data that are processed by the company.
a) Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation and data relating to criminal convictions or offences.
2. Determine whether the company is required to appoint a data protection officer. Either way, appoint an individual to be in charge of data privacy compliance within the company.
3. Decide how the company will receive and process data subjects’ requests to:
a) receive a portable copy of the personal data that the company has about them,
b) make changes to the personal data that the company has about them,
c) opt out of automated decision making by the company, and
d) request that the company delete the personal data that it has about them
These requests can be made by employees/personnel or by other data subjects.
Determine whether requests will be handled manually or by automated means.
Determine what the contact points will be for data subjects to make these requests.
If request will be processed manually, determine who will process these requests and how this will be done.
If requests are to be processed by automated means, develop code for receipt and automation of these requests.
4. Determine whether the company engages in data processing activities that warrant privacy impact assessments. If so, create a template and process for privacy impact assessments and perform privacy impact assessment as needed. Also derive a process such that future rollouts which warrant privacy impact assessment will be identified so that a privacy impact assessment will be done.
5. Update and/or prepare privacy notices to company personnel, customers, clients and other data subjects about whom the company processes personal data.
6. Decide what is your legitimate purpose (among the options afforded by the GDPR) for your data processing activities in each case. In many cases it will be for the purpose of performing under an agreement with the data subject. This is the case for employees and customers with whom the company has agreements. To the extent that consent of the data subject is being relied on, review the method of obtaining that consent to see that it complies with the GDPR’s requirements for consent.
7. Document the company’s information security program and its security incident response program.
8. Determine which member state the company desires to identify as its “one-stop shop” data protection authority. Determine whether registration requirements apply in that member state. If registration is required, register as required.
9. Inventory company vendors and service providers that process personal data on behalf of the company. Check existing contracts to see whether GDPR-style provisions are included. If not, seek addendum to be signed by vendor or service provider. In addition to binding them contractually, also put in place a process for vetting vendors’ and service providers’ data protection practices. Vendors and service providers can be bucketed into priority categories based on how much personal data they process, the nature of the data they process, and the extent to which they process it.
10. Determine how the company legitimizes exporting personal data from Europe under the existing Personal Data Directive. Model contracts? Privacy Shield? Binding corporate rules? Another means? Depending on what is already in place, determine how the company will legitimize exporting the data from Europe under the GDPR.
11. Review or prepare a record retention policy for compliance with the GDPR’s requirements on how long personal data can be retained and under what circumstances it must be deleted or de-identified.
12. Check the company’s existing employee training modules to see if they cover what is required under GDPR. If not, add content as necessary.
13. Determine what direct marketing the company engages in. Review extent to which consents are obtained for direct marketing. Consent is required in some but not all circumstances. Train personnel who are involved in direct marketing.
14. Decide how the company will document its data processing activities now and going forward.