The barometer for ensuring that your business is compliant with privacy and security laws is to abide by the General Data Protection Regulation (GDPR). However, very few organisations are fully compliant which could leave them wide open.
Non-compliant organisations could face fines of up to £18 million or 4% of annual global turnover, if that’s a greater sum. With that shocking statistic in mind, let’s take a closer look at GDPR compliance and the checklist it provides to help organisations remain compliant.
The General Data Protection Regulation (GDPR)
The GDPR is the European Union’s data protection reform put into effect on May 25, 2018. This robust cybersecurity framework is aimed at protecting the personal data of those residing in the European Union. Fundamentally, it is an update of the 1950 European Convention on Human Rights, bringing it up-to-date to account for the digital age.
Without an enforced standard like the GDPR, people will never be sure that their privacy is protected. Let’s take a closer look at a GDPR compliance.
What is considered personal data under GDPR?
According to Article 4 of the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Who does GDPR apply to?
The GDPR applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed.
- a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.
If your company is a small and medium-sized enterprise (SME) that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals, then some obligations of the GDPR compliance will not apply to you – for example, the appointment of a Data Protection Officer (DPO). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities.
Data controllers and processors
According to GDPREU, GDPR has sparked the debate about whether certain organisations are generally data controllers or data processors. Understanding the difference between data controllers and processors is vital for GDPR compliance.
Since GDPR was launched in May 2018, controllers have specific obligations. In addition, processors have legal obligations of their own. This is a major difference from the original DPD legislation in 1995.
Under GDPR, the ICO and other supervisory powers can prosecute processors and controllers for any breaches. There are also specific requirements for joint controllers under GDPR.
There is a clear difference between a ‘data controller’ and a ‘data processor’ according to the GDPR.
The regulation recognises that not all organisations involved in the processing of personal data have an equal level of responsibility. The definitions of controllers and processors according to the GDPR are as follows:
Data Controller – Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
Data Processor – Is a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.
If you are classed as a data controller or a data processor, you are responsible for ensuring that you comply with the GDPR and demonstrate compliance with the regulation’s data protection principles.
Data processors do not have the same level of GDPR compliance responsibilities. However, they should still take appropriate organisational and technical measures to ensure that any processed data is done so in line with the GDPR.
GDPR compliance checklist for 2022
The following GDPR compliance checklist will help organisations of all sizes assess their current compliance status and allow for reforming processes.
- Awareness of all of the data being collected
Awareness of all data being collected by your organisation is key. If you’re not sure how the data flows through your systems, then it is unclear how it is being controlled. Here’s a simple seven-step process for mapping all data sources:
- Data collected
- Reason for data collection
- How is the collected data processed?
- When is the data disposed of?
- Do you have consent to collect the data?
- Does the data include sensitive data?
- Appoint a Data Protection Officer (DPO)
The GDPR states that both controllers and processors must appoint a Data Protection Officer (DPO) to oversee the data protection strategy.
- Keep a GDPR diary
By keeping a GDPR diary, or Data Register, an organisation is able to demonstrate a comprehensive record of how it is practicing GDPR compliance.
- Evaluate your data collection requirements
To ensure GDPR compliance, you should only be collecting data that is needed. All data requirements should be scrutinised through a Data Protection Impact Assessment (DPIA) and a Privacy Impact Assessment (PIA).
- Report data breaches
A mandatory GDPR requirement is to report data breaches immediately. According to article 33 of the GDPR, data breaches must be reported within 72 hours.
- Be transparent over data collection motives
All customers must be made aware of the data being collecting on them. Acknowledgment must be made clear at every data collection point before it is collected.
- Verify the age of all users
The GDPR only permits personal data processing for those of at least 16 years of age. Adult permission must be granted for anyone aged under that age group.
- Include a double opt-in for all new email sign-ups
A double opt-in process for all new sign-ups is mandatory. Double opt-in will ensure that a person is not added to an email list until they consent twice.
- Assess all third-party risks
The GDPR outlines that all organisations must be continuously aware of all security risks and have remediation efforts ready to go. Previously we have already explored the benefits of GDPR compliance in relation to third-party risks.
RiskXchange and GDPR compliance
RiskXchange provides a simple, automated and centralised risk management solution that enables organisations to manage their own cyber risk score as well as ensuring their suppliers and third-party partners meet GDPR compliance requirements. Under the GDPR and UK-specific data protection regulations, companies are responsible for personal data shared with their third-party providers and suppliers.
Get in touch with RiskXchange to find out more about a GDPR compliance checklist for 2022.