If you are responsible for collecting and handling personal data you will need to understand how the General Data Protection Regulation (GDPR) applies to you, and how to remain compliant with the new law. The following GDPR checklist provides essential guidance on how to comply.
GDPR Checklist
The GDPR is based on the core principles of data protection that existed under the previous law, although it significantly increases the obligations for organisations and businesses in how they collect, use and protect personal data.
At the heart of GDPR is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
The new GDPR data protection regime sets out a total of seven key principles that can be used as a checklist to ensure that you remain compliant.
Principle A: Lawfulness, fairness and transparency
Under the first principle in the GDPR checklist, personal data must be processed lawfully, fairly and in a transparent manner. This requires you to:
a. Identify valid grounds for collecting and using personal data.
b. Use the data in a way that is fair, and not in a way that is unduly detrimental, unexpected or misleading.
c. Be clear, open and honest with individuals from the outset about how you will use their personal data.
In using this GDPR checklist you may want to ask yourself the following questions:
Have we identified an appropriate lawful basis for processing the data?
There are several ways you can lawfully obtain data, including by obtaining an individual’s consent, or to comply with a common law or statutory obligation.
Have we considered how the processing may affect the individuals concerned and can justify any adverse impact?
Fairness means you should only handle personal data in ways that people would reasonably expect and not so as to have an unjustified adverse effect.
Have we been transparent in informing individuals as to who we are, and how and why their personal data will be used?
The GDPR gives individuals a right to be informed at the time you collect their personal data about the collection and use of that data. This right will typically be fulfilled through a GDPR-compliant privacy notice.
Principle B: Purpose limitation
Under the second principle in the GDPR checklist, personal data must be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
This requires you to:
a. Be clear from the outset about why you are collecting the personal data and what you intend to do with it.
b. Only use the personal data for a new purpose, without more, if it is compatible with your original purpose.
c. Regularly review your processing and, where necessary, update your documentation and privacy information for individuals.
In using this GDPR checklist you may want to ask yourself the following questions:
Have we clearly identified our purpose(s) for processing in our privacy notice?
As previously indicated, the GDPR requires you to set out the reasons for collecting and using personal data within your privacy information. This must be provided in easily accessible and easy to understand language.
Where we plan to use personal data for a new purpose, have we assessed whether this is compatible with our original purpose?
If a new purpose is not compatible with the original purpose, you must obtain the individual’s consent or have an alternative clear basis in law.
Have we recently reviewed, tested and updated our privacy information for individuals?
If you plan to use personal data for a new purpose, you must usually update your privacy notice and communicate these changes to individuals prior to starting any new processing.
Principle C: Data minimisation
Under the third principle in the GDPR checklist, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed.
This requires you to:
a. Ensure the personal data you are processing is sufficient to properly fulfil your stated purpose and has a rational link to that purpose.
b. Ensure that you do not hold more personal data than you need for that purpose.
c. Ensure you have in place procedures to periodically review the data you hold, and delete anything you don’t need.
In using this GDPR checklist you may want to ask yourself the following questions:
Have we sufficient personal data to properly fulfil our specified purpose(s)?
What is adequate and relevant will depend on your specified purpose(s) for collecting and using the personal data.
Have we only collected personal data we actually need for those purpose(s)?
You should identify the minimum amount of personal data you need to fulfil your specified purpose(s) and hold that much information, but no more.
Have we recently reviewed the data we hold to see if we still need it?
You should have in place appropriate data minimisation processes to ensure that you only collect and hold the personal data that you need.
Principle D: Accuracy
Under the fourth principle in the GDPR checklist, personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
This requires you to:
a. Take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.
b. Consider whether it is necessary to periodically update the information that you hold.
c. Carefully consider any challenges to the accuracy of personal data, and correct or erase data that you discover is incorrect or misleading.
In using this GDPR checklist you may want to ask yourself the following questions:
How do we ensure the accuracy of any personal data we collect?
Where you do not compile personal data using your own resources, you should always record the source of the data so that reasonable steps can be taken to check its accuracy where necessary.
Have we recently reviewed any personal data to see if it needs updating?
If you use the information for a purpose that relies on it remaining current, you should keep it up to date.
Have we procedures in place to enable an individual to challenge the accuracy of their data and to rectify any mistakes?
Under GDPR an individual has the absolute right to have incorrect personal data rectified. It may also be necessary to erase inaccurate information in some cases.
Principle E: Storage limitation
Under the fifth principle in the GDPR checklist, personal data must be kept in a form that permits identification of individuals for no longer than is necessary for the purpose(s) for which the personal data was processed.
This requires you to:
a. Take all reasonable steps to ensure you do not keep personal data for longer than you need it.
b. Consider whether it is necessary to periodically review the information that you hold.
c. Carefully consider any challenges to your retention of data, and erase data that you no longer need.
In using this GDPR checklist you may want to ask yourself the following questions:
Do we know what personal data we hold and why we need it?
You should have procedures in place to determine what information is held and for what purpose, for example, by way of information audit.
Have we recently reviewed what data we hold and whether we still need it?
You should have procedures in place to periodically review what information is held, and delete or anonymise data that is no longer needed. Wherever possible, you must also implement a policy for setting standard retention periods.
Have we procedures in place to enable an individual to challenge the accuracy of their data and to erase data that is no longer needed?
Under GDPR individuals have a right to erasure if you no longer need the data, where you must have in place adequate processes to respond to this type of request.
Principle F: Integrity and confidentiality
Under the sixth principle in the GDPR checklist, personal data must be processed in a manner that ensures appropriate security of that data.
This includes protection against unauthorised or unlawful processing, and accidental loss, destruction or damage, using appropriate technical or organisational measures.
This requires you to:
a. Implement appropriate security measures to protect the personal data you hold.
b. Use appropriate technical and organisational methods to process this data securely.
c. Ensure you have appropriate processes in place to test the effectiveness of your measures.
In using this GDPR checklist you may want to ask yourself the following questions:
Have we undertaken a risk analysis in relation to our processing activities to assess the appropriate level of security needed?
You must implement measures to help prevent data being accidentally or deliberately compromised.
You must also ensure you have procedures in place to detect and report any data breaches, carry out data protection impact assessments for high-risk processing and, where necessary, appoint a data protection officer.
What measures do we have in place to safeguard personal data?
When deciding what measures to implement, you can take into account the state of the art and costs of implementation, although you must ensure a level of security appropriate to the risk.
Do we conduct regular testing and reviews of our security policies and measures to ensure they remain effective?
The GDPR not only requires you to integrate data protection concerns into every aspect of your processing activities, but to regularly review the measures that you have in place to safeguard the personal data that you hold.
Principle G: Accountability
Under the seventh principle in the GDPR checklist, you must demonstrate, and in most cases document, the ways in which you comply with all of the above.
This requires you to:
a. Maintain detailed records on your processing activities.
b. Ensure your documentation is kept up to date.
c. Make these records available to the Information Commissioner’s Office (ICO) on request.
In using this GDPR checklist you may want to ask yourself the following questions:
Have we adequate procedures in place to document our processing activities?
Under GDPR you are required to maintain records on several aspects of your processing activities, including your processing purposes, data sharing and retention of data.
For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.
Do we conduct regular reviews of the personal data we process and update our documentation accordingly?
You must regularly review and, where necessary, update your policies and procedures, keeping a record of these changes. This can also help you to demonstrate compliance with the GDPR and improve data governance.
Are we willing and able to provide copies of our records on request?
It is good practice to document your processing activities in electronic form so you can add, remove and amend information easily. You can also provide this information in an easily accessible format to any individual wanting to see what information is held on them, or to the ICO, on request.
Seek legal advice
The above GDPR checklist is not exhaustive. The new data protection law is extensive and requires careful consideration in relation to all aspects of data processing. For further detailed guidance on how to comply with the GDPR, take advice from a specialist in data protection law.
Author
Gill Laing is a qualified Legal Researcher & Analyst with niche specialisms in Law, Tax, Human Resources, Immigration & Employment Law.
Gill is a Multiple Business Owner and the Managing Director of Prof Services - a Marketing Agency for the Professional Services Sector.
