The Ultimate GDPR Compliance Checklist
May 24, 2018
by Ohad Hagai
The European Union (EU) General Data Protection Regulation (GDPR) is now a reality. The scope of these regulations, effective May 25, are proving to be overwhelming for more and more businesses across the globe.
Organizations are adopting different strategies to cope with the challenges presented by the GDPR, some more aggressive than others. One such strategy is the blocking of European Union (EU) based users completely. On the other hand, companies such as Unroll.me and Verve have announced that they are shutting down their operations due to operational and technical constraints.
Meanwhile, online publishers are also in a rush to patch up all open privacy issues, especially in their Ad Tech and MarTech stacks. These stacks have evolved and ballooned in part due to the monetary and performance advantages they introduce. However, they can also negatively impact your GDPR compliance.
A Brief Introduction to GDPR
While the GDPR has already taken effect, proper understanding is still lacking. For starters, it’s important to know the reach of these regulations. The GDPR requires online domains and all web entities to apply a series of user privacy enhancing actions while interacting with EU customers based in Europe.
- Working with personal data as defined in the GDPR
- Proving clear and affirmative consent to process personal data
- Appointing a Data Protection Officer (DPO) to monitor activities
- Giving the EU-based customers an option to be “forgotten” if they choose to
The legal consequences of not complying with GDPR are clearly defined. Companies in violation of the GDPR may be fined between 2% to 4% of their annual global turnover or up €20 million, whichever is higher. Frequent GDPR violations can raise the level of legal penalties to the €40 million range.
GDPR also requires you to perform mandatory Privacy Impact Assessments (PIAs), also known as Data Protection Impact Assessments (DPIAs). These are systematic processes that have been created for data controllers to assess privacy risks created by the collection and processing of sensitive PII data.
The GDPR Compliance Checklist
The GDPR is a complex 11 chaptered document with 99 articles covering a wide range of user privacy aspects. These regulations can be hard to interpret, which is where our checklist enters the picture. This checklist highlights and lays out the points that you must address to achieve GDPR compliance.
You can get your GDPR checklist now by entering your email below. However, we strongly recommend going through the overview in this article to familiarise yourself with the issues that can negatively affect your user privacy standards and learn more about GDPR compliance requirements.
Get your GDPR Checklist Now:
Thanks for subscribing!
1. Data Privacy Impact Assessment (DPIA)
In a nutshell, DPIA is a risk management process. It helps map and analyze the privacy risks your operations create, eventually enabling you to come up with an optimization plan. Online publishers, who are now defined as data controllers and are fully responsible for GDPR breaches, can benefit a lot from DPIAs.
A. Identify the privacy risks and Evaluate Privacy Solutions
Your first challenge is to map the data collection points where you are collecting Personally Identifiable Information (PII) data from your customers and identify the privacy risks that arise while processing them. Data controllers should pay extra attention to PII data that is processed by third party services.
Furthermore, these third party services often use fourth and fifth party services to enhance performance and functionality. However, these fourth and fifth party services may also be accessing your data and possibly impacting your GDPR compliance without your knowledge or permission.
B. Record the DPIA results and Integrate Them Into the Project Plan
After understanding the privacy challenges within the ecosystem, the data controller must record all findings. Your next step should be the implementation of required mechanisms for enforcing PII data protection. Furthermore, the selected solutions need to be demonstrated to prove GDPR compliance.
C. Collaborate with Internal and External Stakeholders
Data controllers not only carry full responsibility for GDPR breaches, they also have to report PII data leak incidents within 72 hours. In other words, online publishers need to know what exactly the third party vendors are doing with their customers’ PII data and how exactly it’s being processed.
This collaboration is vital for achieving GDPR compliance.As per the GDPR, online publishers must check the impact of data processors on their customers’ PII data before implementing them. Click To Tweet
2. Policies and Procedures
According to Article 35 in the GDPR, a PII data processing entity using new technologies is very likely to jeopardize the privacy of its users. In other words, digital publishers are considered to be high risk entities. This is where the legal teams of online publishers need to step in, especially before DPIAs.
Mandatory documents to enforce GDPR compliance include the following:
- Personal Data Protection Policy (Article 24) – a top-level document for managing privacy in your company, which defines what you want to achieve and how.
- Privacy Notice (Articles 12, 13, and 14) – this document explains in simple words how you will process personal data of your customers, website visitors, and others. Its recommended to publish this in your website for optimal transparency.
- Data Retention Schedule (Article 30) – lists all points of PII data collections and describes how long each type of data will be kept/stored.
- Data Retention Policy (Articles 5, 13, 17, and 30) – it describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed after the processing is completed.
- Data Subject Consent Form (Articles 6, 7, and 9) – this is the most common way to obtain consent from data subjects to process their personal data.
- Parental Consent Form (Article 8) – if the data subject is a minor below the age of 16 years, then a parent needs to provide the consent for processing his personal data. GDPR treats the breach of this protocol very seriously.
- DPIA Register (Article 35) – this is where all the results from your Data Protection Impact Assessment (DPIA) will be saved after being recorded and analyzed.
The GDPR breach procedure needs to be clearly defined to avoid reporting delays. When a PII data leak is detected, the data controller needs to record the event in the Data Breach Register (Article 33). There is also a requirement to notify the relevant Supervisory Authority about the incident, while also ofiicially updating the affected customers (Article 33 and 34).
3. Notices and Consent
Data controllers need to make sure that that have user consent to collect personal data. The online publisher needs to be able to demonstrate that the data subject has consented to processing of his or her personal data, ideally via an intelligible and easily accessible form, using clear language. Furthermore, users now have the right to withdraw their consent at any time.
The use of Consent Management Platforms (CMPs) has become very common today. A CMP is basically a technical infrastructure used to collect and store what data customers have consented to be used. The CMP then feeds that information to other selected partners in the digital ad supply chain. This enables everyone to understand what data they may use and for what purpose.
4. Employee Training
Organizations must generate employee awareness for key GDPR requirements, and conduct regular training sessions (with periodic evaluations) to ensure that employees remain aware of their responsibilities with regards to the protection of PII data and detection of personal data breaches .
Not doing so can result in serious data breaches that can cripple your business.
You must identify what techniques (games, rewards, etc) trigger the best response from your staff and incorporate them into your GDPR training program. A GDPR awareness programme should be a dynamic process that is updated regularly and repeated when staff-related data breach incidents occur.
5. Data Retention Policy
The GDPR has introduced laws that will significantly tighten the PII data storage limitations. It is even illegal for data processing to be excessive in relation to the purpose it serves. Specific time limits have be set for PII data processing and reviewing, while the handling of personal data must remain explicit and transparent at all times.
You must also make sure that all third party vendors are encrypting the data before and after it is processed or transmitted to fourth and fifth party providers.
6. Personal Data Collecting and Processing
First and foremost, the data controller should appoint a Data Protection Officer (DPO) when there are significant amounts of DII data being collected and processed. Online publishers definitely belong to this category. The DPO has the responsibility of advising the company about GDPR compliance and monitoring all activities from the legal standpoint.
Special attention needs to be given to PII data collection (and documentation) from kids below the age of 16. With more and more kids surfing the web and using your services, parental consent will be required before collecting their personal information. Consent requests need to be clear and easy-to-understand.While the GDPR requires parental consent for kids until the age of 16, some nations plan to make a provision to lower the age limit to 13. Click To Tweet
Remember, GDPR Doesn’t End With Just One Audit
A good GDPR audit doesn’t mean you will stay compliant in the long run. Third party vendors are a big risk factor despite the benefits they bring to online publishers. Vendors often make code changes that alter the way your PII data is processed or stored, making you a potential GDPR violator.
Although there are several ways to determine which services are running on your site, not all of them will highlight the fourth and fifth party dependencies. A proper GDPR audit should go beyond first party software on your website and also inspect all third party services in your Tech Stacks throughly.
All in all, the GDPR requires online publishers to stay on the top of things, especially with third party services in their Ad Tech and MarTech stacks.
Legal Disclaimer This document does not cover every regulation and does not represent legal interpretation on corporate regulation and policy. While efforts have been made to ensure maximum accuracy, this document is not a substitute for any regulation or intended to provide legal advice. Only the regulation and its official interpretations can provide complete and definitive information regarding requirements. This document does not bind Namogoo and does not create any rights, benefits, or defenses, substantive or procedural, that are enforceable by any party in any manner.