GDPR Compliance Checklist

Similar documents
b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

GDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018

Getting ready for GDPR. A guide to General Data Protection Regulations

Preparing for the General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR)

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

GDPR Factsheet - Key Provisions and steps for Compliance

GDPR factsheet Key provisions and steps for compliance

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

What do companies need to do?

Preparing for the GDPR

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

GDPR: What Every MSP Needs to Know

GENERAL DATA PROTECTION REGULATION Guidance Notes

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

General Personal Data Protection Policy

NOT PROTECTIVELY MARKED

Guidance on the General Data Protection Regulation: (1) Getting started

12 STEPS TO PREPARE FOR THE GDPR

More information at cventconnect.com/europe/mobileapp

Summary of General Data Regulation & Actions. Nationwide Coverage.

Summary of General Data Regulation & Actions. Nationwide Coverage.

The General Data Protection Regulation: What does it mean for you?

ARTICLE 29 DATA PROTECTION WORKING PARTY

December 28, 2018, New Delhi, INDIA

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

GDPR journey: from ready to compliant GDPR survey results

Data Protection Policy

EU GENERAL DATA PROTECTION REGULATION

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

Getting Ready for the GDPR

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

Sir William Perkins s School Data Protection Policy

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

Data Protection (internal) Audit prior to May (In preparation for that date)

General Data Protection Regulation ( GDPR ) National Care Forum How Boards Manage GDPR Compliance & Risks. By Meena Lekhi, Associate

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

Foundation trust membership and GDPR

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

ACCENTURE BINDING CORPORATE RULES ( BCR )

General Data Protection Regulation (GDPR)

GDPR The role of the Internal Audit Function

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

The Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis.

EU General Data Protection Regulation, a new era in data protection

GDPR. Guidance on Employee Personal Data

A summary of the implications of the General Data Protection Regulations (GDPR)

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) A brief guide

PERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

What is GDPR and Should You Care?

General Data Protection Regulation (GDPR) Frequently Asked Questions

WSGR Getting Ready for the GDPR Series

How employers should comply with GDPR

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

Fat Beehive What does GDPR mean for small/medium charities?

The GDPR Are you ready?

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

The Sage quick start guide for businesses

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

NEWSFLASH GDPR N 10 - New Data Protection Obligations

The New EU General Data Protection Regulation 1

Session 1. Asset Management and Risk Control Forum. bvrla.co.uk

Data Protection Policy

General Data Privacy Regulation: It s Coming Are You Ready?

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

GDPR for whom it may concern

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

9 Ways Accountants Can Prepare for GDPR

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Privacy Policy RSL Ireland Ltd & Refrigeration Products (1999) Ltd

GDPR is coming in 108 days: Are you ready?

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

Vendor Agreements and the New EU GDPR Steps to Take Now

Preparing Your Vendor Agreements for the General Data Protection Regulation

Preparing for the General Data Protection Regulation (GDPR)

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

The data protection rules require that personal information we hold about you must be:-

The GDPR enforcement deadline is looming are you ready?

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

The ecommerce Guide to GDPR. How to Ensure Compliance and a Competitive Edge

Contents. Introduction 1. Territorial scope 3. Supervisory authority 4. Data governance and accountability 5. Export of personal data 14

Genera Data Protection Regulation and the Public Sector

Technical factsheet: General Data Protection Regulation (GDPR) April 2018

General Data Protection Regulation - Explained

EU General Data Protection Regulation

General Data Protection Regulation

General Data Protection Regulation. The changes in data protection law and what this means for your church.

Sample Data Management Policy Structure

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

Transcription:

GDPR Compliance Checklist

GDPR Compliance Checklist This GDPR Compliance Checklist sets out the key requirements that the General Data Protection Regulation will introduce into EU Privacy law on 25 May 2018. The table summarizes the nature of the provision, highlights the most important actions which organizations should take to prepare for compliance, and provides reference to the relevant Article in the GDPR (these can be cross referred to in Latham & Watkins General Data Protection Regulation at a Glance). The GDPR will apply to companies processing personal data in the context of an EU establishment, companies offering goods or services to EU residents and companies that monitor the behavior of EU residents. The changes brought in by the GDPR are wide-reaching and a number of functions within many organizations will be affected by the changes, from marketing to security and, of course, legal and compliance. This checklists aims to identify, below, the stakeholders which will need to be involved in each set of actions. Legal Compliance HR IT & Information Services Insurance Security Procurement Marketing and Customer Relations PR & Comms This table has been created with a B2C company in mind, i.e. a company obtaining, processing and storing quantities of consumer data. If an organization is B2B, while there may be certain areas where the obligations are slightly less onerous (and are less likely to require marketing and customer relations involvement), many of the requirements will still stand. Contacts Gail Crawford Partner +44.20.7710.3001 gail.crawford@lw.com Fiona Maclean Senior Associate +44.20.7710.1822 fiona.maclean@lw.com Lore Leitner Senior Associate +44.20.7710.4785 lore.leitner@lw.com

Action(s) / Deliverable(s) Governance Document your Privacy Governance Model e.g. with clear roles and responsibilities and reporting lines to embed privacy compliance into the organization Consider whether a statutory DPO is required If no EU presence, appoint a local representative Develop and roll out training across all personnel Review insurance coverage and consider whether it needs to be updated in light of the higher fines and penalties under the GDPR Description of GDPR Requirement One of the underlying principles of the GDPR is to ensure that organizations place data governance at the heart of what they do. As a result, the GDPR introduces a number of requirements to ensure that compliance is a serious focus for companies. Within the organization, it is important to raise awareness of privacy issues to embed privacy compliance into the mind-set of employees so that the business is proactive not reactive. Applicable GDPR Article(s) 5, 27, 37-39 Accountability Implement a global overarching data protection policy, which brings together all underlying related policies including processes for privacy by design and the creation and maintenance of a record of processing activities (see below) Integrate privacy compliance into the audit framework One of the threads which runs through the GDPR is the requirement for organizations to have documentation to be able to demonstrate how they comply with the GDPR. Compliance should be integrated within the audit framework to ensure policies, processes and controls are working. 5, 24, 25, 30 Fair Processing and Consent Review your existing grounds for lawful processing and confirm that these will still be sufficient under the GDPR e.g. can you still rely on consent given the new requirements? Consider whether your organization is processing any sensitive personal data and ensure the requirements for processing such data are satisfied Where consent is relied upon as the ground for processing personal data, review existing consents to ensure they meet the GDPR requirements, and if not implement a process to seek new consents Ensure systems can accommodate withdrawal of consent In order to lawfully process personal data, one of the conditions of processing, as set forth in the GDPR, must be satisfied. While the grounds for processing are broadly the same as those set out in the current Data Privacy Directive, the GDPR imposes new requirements to gain valid consent. Consent can be withdrawn at any time and systems must be able to handle withdrawal requests. Under the GDPR, privacy notices must state the processing ground relied upon, and if relying on legitimate interests, state the nature of the legitimate interest. Consider whether the specific requirements relating to consent from children apply to your organization (see Children). 5, 6, 7, 9, 10, 85-91 Notices / Vetting - HR Review and update, where necessary, employee notices to be GDPR compliant If you currently conduct criminal records checks, review national laws to ensure you can continue to do so There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Employees must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Criminal records can no longer be processed unless authorized by member state law. 10, 12-14

Notices - Customers Review and update, where necessary, customer notices to be GDPR compliant Consider whether your notices have to accommodate childfriendly requirements (see Children) There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Customers must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Notices must also be compliant with the new Consent requirements where relying on consent as your lawful ground of processing. 12-14 Children Identify whether you process personal data of children Seek local counsel advice regarding applicable local law restrictions, codes and guidance If data relating to a child will be processed, ensure that notices directed at that child are child-friendly and if consent is relied upon, you have implemented a mechanism to seek parental consent The GDPR requires parental consent for the processing of data related to information society services offered to a child (ranging from 13 to 16 years old depending on member state). The GDPR leaves a lot to the discretion of the member states as to how children must be treated under this provision. 8, 12 Consider alternative protections, e.g. age-gating Data Subject Rights and Procedures Update data privacy policy and internal processes for dealing with requests. Ensure technical and operational processes are in place to ensure data subjects rights can be met, e.g. right to be forgotten, data portability and the right to object (see Governance and Accountability) Data subjects are given more extensive rights under the GDPR. The current rights to request access to data or require it to be rectified or deleted have been expanded to include a much broader right to require deletion ("the right to be forgotten"), a right not just to access your data but have it provided to you in a machine readable format ("data portability"). Versions of the existing right to object to any processing undertaken on the basis of legitimate interests or for direct marketing and the right not to be subject to decision based on automated processing are also included and expressly refer a right to object to profiling. These must be clearly communicated in the notices given to data subjects, e.g. privacy policy. 16, 17, 18, 19, 20, 21, 22, 23 Record of Processing Identify all data processed in a detailed Record of Processing Implement and maintain processes for updating and maintaining Record of Processing The GDPR requires organizations to maintain a detailed record of all processing activities, including purposes of processing, a description of categories of data, security measures, comprehensive data flow map, etc. A number of stakeholders will need to be involved in creating and maintaining this data record. 30 Privacy by Design and Default Ensure processes are in place to embed privacy by design into projects (e.g. technical and organizational measures are in place to ensure data minimization, purpose limitation and security) In keeping with the GDPR s objective of bringing privacy considerations to the forefront of organizations decision making, the GDPR requires data protection requirements to be considered when new technologies are designed or on boarded 25, 35, 36

Put in place a privacy impact assessment protocol or new projects using data are being considered. Privacy impact assessments should be used to ensure compliance; these are required for projects that involve processing, on a large scale, of sensitive personal data or criminal convictions, monitoring of a public area or systematic and extensive evaluation by automated means including profiling. Compliant Contracting and Procurement Develop compliant contract wording for customer agreements and third-party vendor agreements Identify all contracts that require relevant contract wording, prioritize and develop process for amending Procurement processes and vendor contracts will need to be updated to ensure they reflect the new GDPR requirements and flow down obligations which must be complied with by parties processing European personal data on your behalf. N/A Ensure procurement process has controls to ensure privacy by design (e.g. security diligence, data minimization, visibility of onwards data flows) Data Breach Procedures Review and update (or develop where not in existence) Data Breach Response Plan Review insurance coverage for data breaches and consider whether it needs to be updated in light of the higher fines and penalties under the GDPR The GDPR introduces a new data breach notification regime. The process requires organizations to act quickly, mitigate losses and, where mandatory notification thresholds are met, notify regulators and affected data subjects. 32-34 Review liability provisions in agreements for breaches caused by service providers and other partners Data Export Identify all cross-border data flows and review data export mechanisms Update cross border mechanisms if necessary The GDPR only permits exports of data to entities of its group and third-party vendors outside the European Economic Area if the country in which the recipient of such data is established offers an adequate level of protection. 44-50

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback