GDPR Compliance – A Quick Checklist 

The General Data Protection Regulation GDPR, a product of the European Union Data Protection Reform, is the strict privacy standards put into effect on May 25, 2018, aimed to protect the personal data of all people in the European Union. 

What is Personal Data? 

Personal data is any information that relates to a living person. This includes financial information and addresses, and even evaluations relating to the behavior patterns of a person. Personal Data could also include images, video, audio, numerals, and words. 

Who Does the GDPR Apply to? 

The GDPR impacts any organization that offers goods and/or services to people in the European Union, this includes entities that are not located in the EU. Additionally, all online businesses should be GDPR compliant as a protective measure, in case people who transact with this company are in the EU. 

Personal Data is used by Data Controllers and Data Processors.  

A Data Controller is an individual, public authority, agency, or other body that decides what to do with the data collected. A Data Processor processes personal data on behalf of the controller. For example, if a software company hires a marketer for an upcoming email campaign. The marketer is given the names and email addresses of leads to whom he or she will send the email campaign. Here, the software company is the controller, and the marketer is the processor. 

Both the Data Controller and the Data Processor must be GDPR compliant because they are both handling personal data. 

How to become GDPR Compliant? 

There are 9 key points to consider that will help businesses assess their current GDPR compliance status and reform their data handling practices to become more compliant. 

1. Map the data you collect 

If you don’t know how personal data moves through your internal systems, you don’t know how it is controlled. Below is an example of a software company 

Source 

• Software Sign-up Form 

Data collected 

• Full name. 
• Email address. 
• Company name 

Reason for data collection 

• Collecting Marketing Leads 

Consider the below questions; 

How is collected data processed? 

• Stored in the HubSpot database. 

• Accessed by internal email marketers. 

When is the data disposed of? 

• Users who unsubscribe are automatically removed from the database 

Do you have consent to collect this data? 

• Yes, users who sign up are informed of our terms and conditions. 

Does the collected data include sensitive information? 

• Yes, full names and associated email addresses. 

2. Appoint a Data Protection Officer 

Both controllers and processors must appoint a Data Protection Officer (DPO) to oversee the data protection strategy. Appointing a DPO is essential in any of the below cases; 

• If data is processed by a public authority 
• If collected data undergoes systematic monitoring 
• If collected data is processed at a large scale 
  Note: the GDPR doesn’t define how large “large scale” is, so appoint a DPO to be on the safe side. 

A DPO is responsible for the following duties; 

• Advising controllers and processes of best practices for GDPR compliance  

• Monitoring how data is handled to ensure GDPR compliance 
• Advising about data protection impact assessments 
• Acting as the primary point of contact for all inquiries related to data processing 
• Acting as the primary point of contact between the company and GDPR regulators 
• Having a clear understanding of all the potential risks associated with processing  

Supporting the efforts of the DPO, organizations may want to adopt an attack surface monitoring solution to identify vulnerabilities in processing operations. 

3. Record a GDPR Data Register 

A GDPR diary, or a Data Register, is a comprehensive record of how an organization is practicing GDPR compliance. This would need to be created after identifying all your data sources. A GDPR diary should map the flow of data through your organization, the more details you include the better. In the event of an audit, the GDPR diary will serve as proof of compliance. 

If your organization faces a data breach in the process of instituting a compliance framework, the GDPR diary can be used as proof of progress and efforts towards improved data security. 

Adopting this implementation early demonstrates an organization’s dedication to protecting their customers’ data. 

4. Evaluate Data Collection Requirements 

To be GDPR compliant, you should only collect data that you absolutely need. Don’t accumulate sensitive data without a compelling reason. This will signal the supervisory authority monitoring your compliance. 

All data requirements should go through a Privacy Impact Assessment (IPIA) and a Data Protection Impact Assessment (DPIA). These assessments are mandatory when the data collected is highly sensitive. 

Here are some examples of what would be classified as sensitive data and would require the completion of a DPIA; using new technology, location, behavior, religious views, ethnic origins, political opinions, health, data associated with children, automated decisions that have legal consequences, monitoring publicly accessible areas, etc. 

Use this DPIA template as a guide for your assessment. 

5. Report Data Breaches Instantly 

Immediate data breach notification is a mandatory GDPR requirement. This, more specifically, means within 72 hours of the breach. 

First, Processors report the data breach to the Controller, who, in turn, reports to a supervisory authority.  

The supervisory authority, also known as Data Protection Association or (DPA), monitors and enforces GDPR compliance. They’re also the primary contact for any GDPR inquiries. 

Supervisor authorities are usually located in the EU state where an organization is based. The GDPR empowers the supervisory authority to impose non-compliance fines on controllers and processors. 

6. Assess Data Collected Motives 

Customers need to be specifically informed of the data you’re collecting. If you’re not being transparent about when and what you’re collecting, this could lead to non-compliance fines. 

Data collection acknowledgment should be displayed at every point at which data is collected – before any data is collected.  

Here are some ways websites display data collection notifications; 

Website Forms 

Any forms on your website should clearly state how all collected data will be used. Don’t use complex phrasing or technical jargon. Keep your messaging clear and concise. 

Pre-ticked consent boxes are not permitted. Your customers need to know that they’re consenting, and willingly do it themselves. 

Cookie Collection Notices 

Cookies need to be regulated, as the GDPR classifies cookies that identify users as personal data collectors. Organizations may still use cookie data if they meet the requirements below: 

• Clear and Documented consent by the user to the use of cookies before any are used. Consent should also be stored by the organization. 

• Specify how the collected data will be used by your organization. 
• You cannot stop users from accessing your website if they do not consent to cookie use. 
• Provide the ability for users to easily withdraw cookie consent. 

7. Verify Age of all Consenting Users 

The GDPR only permits the processing of personal data for individuals 16 years of age or older. Otherwise, consent must be given by the parent or guardian of the child. 

8. Keep your Privacy Policy updated 

Your Privacy Policy must be up-to-date and readily accessible on your website. When an update to data collection or processing is made, all your users must be informed and notified. Your Privacy Policy should clearly outline all the data collected and how it is used. Legal advice is recommended to create an accurate data Privacy Policy that is GDPR compliant.  Additionally, a double opt-in for email list during sign up is not mandatory but is highly recommended. 

This is an example of the Privacy Policy on the GDPR website 

9. Assess Risks Regularly 

The GDPR expects organizations to be continuously aware of all third party security risks and to be prepared for these risks when the time comes. The key to security is consistently monitoring for vulnerabilities and immediately remediating them. If your organization doesn’t have the resources or expertise, it can be outsourced. 

Check out the GDPR specific risk assessments. 

How Lexzur addresses GDPR 

At Lexzur, we take GDPR compliance very seriously. We believe in protecting the right of individuals to control their personal data and privacy. The team at Lexzur is committed to ensuring that our products and business operations meet GDPR requirements as data controllers and data processors. These details are reflected in our Terms & Conditions. 

Lexzur’s policy acknowledges this responsibility and identifies how personal data is collected and used within its products. Lexzur securely stores data and provides the tools and services needed to help legal teams and legal practitioners meet their responsibilities as data controllers. 

Lexzur protects the data stored within Lexzur products and transmitted from the Lexzur products to guarantee that any data stored by Lexzur users is protected.  

For general information about GDPR Compliance, please visit the Official GDPR Site. 
For more information about how we comply with GDPR, please contact our support via [email protected]