The European Union’s General Data Protection Regulation (GDPR) took full effect on May 25, 2018. Per its official website, the Regulation spells out rules for protecting EU citizens regarding the processing and movement of their personal data. It also outlines the fundamental rights and freedoms of EU citizens with respect to their personal data. In the event an organization does not comply with GDPR’s requirements, they could incur an administrative fine of up to 20 million EUR or four percent of their total global annual turnover, whichever is higher.

One would think those penalties would be sufficient motivation for organizations to comply with the Regulation. But as it turns out, many organizations are still struggling with their GDPR compliance. Back in July 2018, for instance, TrustArc found that only one in five organizations in the United States, United Kingdom and European Union believed it had achieved compliance with GDPR. The International Association of Privacy Professionals (IAPP) discovered that 50 percent of firms were still non-compliant several months later in December 2018. More than a year after GDPR took effect, RSM learned that nearly a third of EU firms had not yet achieved compliance. The rate was even greater for UK firms at 50 percent through September 2019, per a report from Egress.

Companies clearly need help in complying with GDPR. To that end, a compliance checklist for entities that are actively working to comply with the Regulation is detailed below.

Implement Data Protection by Design

  • Carry out a risk assessment of the data processing operations
    • The risk assessment should include the following elements:
      • A description of the processing operations and of the purpose(s) for those operations, where applicable.
      • An assessment of the proportionality of the processing operations to their intended purposes.
      • An assessment that details the risks to data subjects’ rights and freedoms.
      • The security measures that could help mitigate those risks.
  • Implement security measures that meet the requirements of the Regulation
    • These security controls should accomplish the following:
      • Encrypt and pseudonymize data subjects’ information.
      • Ensure the confidentiality, integrity, availability and resilience of data processing systems and services.
      • Demonstrate the ability to restore the availability and access to personal data following a physical or technical event in a timely manner.
      • Allow for regular testing that evaluates the ability of these measures to secure the information of data subjects.

Consider Appointing a Data Protection Officer (DPO)

  • Recognize when it’s necessary to appoint a DPO under GDPR
    • A DPO must be appointed when any of the following conditions are met:
      • A public authority or body carries out the data processing except in instances when a court executes these duties for judicial purposes.
      • The processing operations require regular and/or systematic monitoring of data subjects on a large scale.
      • The data to be processed consists of special categories of information, per Article 9, or information pertaining to criminal offenses, per Article 10.
  • Instruct the DPO to carry out certain tasks
    • In particular, the DPO should discharge the following duties:
      • Inform and advise the data controller or processor as well as all employees who are involved in the processing.
      • Monitor compliance with the Regulation and with the policies of the data controller or processor.
      • Advise on the crafting of a data protection impact assessment and monitor its performance.
      • Cooperate with the relevant supervisory authority.
      • Act as the point of contact for the controller or processor to the supervisory authority.

Uphold Responsibility Following a Data Breach

  • Individually notify data subjects of a data breach
    • Data controllers or processors should not waste any time in issuing this notification in the event the data breach carries high risks to the data subjects’ rights and freedoms, as identified under the Regulation.
    • Data processors or controllers should use plain language to clearly communicate the effects of a data breach.
    • Recognize that individual communication is not necessary if any of the following conditions are met:
      • The data controller or processor already applied security measures, especially encryption, to the pieces of information affected by the breach.
      • The data controller or processor took additional measures following its discovery of the data breach to limit its risks.
      • It’s more effective for the data controller or processor to notify all potentially affected data subjects about the breach via a dedicated website or other public forms of communication.

Contemplate Obtaining Certification of Your GDPR Compliance

  • Pursue a compliance certification program by doing the following:
    • Submit all information and necessary access surrounding its processing activities to the certification body, as referred to in Article 43, or the supervisory authority, where appropriate.
    • Understand that certification will last a maximum time period of three years.
      • They will be able to renew their certification if they continue to meet the same conditions for certification of compliance.

Streamlining Your Organization’s GDPR Compliance Efforts

As the above checklist helps to demonstrate, organizations have a lot to consider when it comes to achieving compliance with GDPR. That’s why organizations would be best served by building a GDPR compliance program with the help of a trusted partner. Learn how ITEGRITI can help your organization get started on its path to GDPR compliance by clicking here.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of ITEGRITI, Inc.