GDPR compliance checklist – IBM Blog

The Common Information Safety Regulation (GDPR) is a European Union (EU) legislation that governs how organizations acquire and use personal data. Any firm working within the EU or dealing with EU residents’ knowledge should adhere to GDPR necessities.

Nonetheless, GDPR compliance will not be essentially an easy matter. The legislation outlines a set of data privacy rights for customers and a sequence of rules for the processing of non-public knowledge. Organizations should uphold these rights and rules, however the GDPR leaves some room for every firm to resolve how.

The stakes are excessive, and the GDPR imposes vital penalties for non-compliance. Probably the most critical violations can result in fines of as much as EUR 20,000,000 or 4% of the group’s worldwide international turnover within the earlier 12 months. GDPR regulators may also terminate illicit knowledge processing actions and compel organizations to make adjustments.

The guidelines under covers the core GDPR laws. How a company meets these laws will rely upon its distinctive circumstances, together with the sorts of knowledge it collects and the way it makes use of that knowledge.

GDPR fundamentals

The GDPR applies to any group based mostly within the European Financial Space (EEA). The EEA consists of all 27 EU member states plus Iceland, Liechtenstein and Norway.

The GDPR additionally applies to organizations exterior of the EEA if:

• The corporate usually affords items or providers to EEA residents, even when no cash is exchanged.
• The corporate usually screens the exercise of EEA residents, reminiscent of by utilizing monitoring cookies.
• The corporate processes knowledge on behalf of an organization based mostly within the EEA.

The GDPR doesn’t solely apply to companies utilizing buyer knowledge for industrial functions. It applies to almost any group that processes EEA residents’ knowledge for any function. Faculties, hospitals and authorities companies all fall below GDPR authority.

The one knowledge processing actions exempt from the GDPR are nationwide safety or legislation enforcement actions and purely private makes use of of knowledge.

Helpful definitions

The GDPR makes use of some particular terminology. To grasp compliance necessities, organizations should perceive what these phrases imply on this context.

The GDPR defines private knowledge as any info regarding an identifiable human being. The whole lot from electronic mail addresses to political views counts as private knowledge.

A knowledge topic is the human being who owns the information. Put one other approach, it’s the individual the information pertains to. Say an organization collects telephone numbers to ship advertising and marketing messages by way of SMS. The house owners of these telephone numbers can be knowledge topics.

When the GDPR refers to knowledge topics, it means knowledge topics who reside within the EEA. Topics needn’t be EU residents to have knowledge privateness rights below the GDPR. They merely must be EEA residents.

A knowledge controller is any group, group or individual that obtains private knowledge and determines how it’s used. Returning to a earlier instance, an organization accumulating telephone numbers for advertising and marketing functions can be a controller. 

Information processing is any motion accomplished to knowledge, together with accumulating, storing or analyzing it. A knowledge processor is any group or actor that performs such actions.

An organization may be each a controller and a processor, like an organization that each collects telephone numbers and makes use of them to ship advertising and marketing messages. Processors additionally embrace third events that course of knowledge on behalf of controllers, like a cloud storage service that hosts a telephone quantity database for one more enterprise.

Supervisory authorities are the regulatory our bodies that implement GDPR necessities. Every EEA nation has its personal supervisory authority.

Explore data security and protection solutions

The GDPR compliance guidelines

At a excessive degree, a company is GDPR compliant if it:

• Adheres to the information processing rules
• Upholds the rights of knowledge topics
• Applies acceptable knowledge safety measures
• Follows the foundations for knowledge transfers and knowledge sharing

The next guidelines breaks these necessities down additional. The sensible steps a company takes to fulfill these necessities will rely upon its location, sources and knowledge processing actions, amongst different components.

Information processing rules

The GDPR creates a set of rules organizations should observe when processing private knowledge. The rules are as follows.

The group has a lawful foundation for processing knowledge.

The GDPR defines the circumstances below which corporations can legally course of private knowledge. A corporation should set up and doc its authorized foundation earlier than accumulating any knowledge. The group should talk this foundation to customers on the level of knowledge assortment. It can not change the idea after the actual fact except it has person consent to take action.

The doable lawful bases embrace:

• The group has the topic’s consent to course of their knowledge. Word that person consent is simply legitimate whether it is knowledgeable, affirmative and freely given.
  • Knowledgeable consent means the corporate clearly explains what knowledge it’s accumulating and the way it will use that knowledge.
  • Affirmative consent means the person should take some intentional motion to indicate consent, reminiscent of by signing an announcement or checking a field. Consent can’t be the default choice.
  • Freely given consent means the corporate doesn’t try and affect or coerce the information topic. The topic should have the ability to withdraw their consent at any time.

• The group has a authorized obligation to course of the information.

• The group should course of the information to guard the lifetime of the information topic or one other individual.

• The group is processing knowledge for causes of the general public curiosity, reminiscent of journalism or public well being.

• The group is a public authority processing knowledge to carry out an official operate.

• The group is processing the information to pursue a legit curiosity.
  • A legit curiosity is a profit the controller or one other celebration might achieve by processing the information. Examples embrace conducting background checks on staff or monitoring IP addresses on a company community for cybersecurity functions. To say a legit curiosity foundation, the group should show that the processing is important and doesn’t infringe on topics’ rights. 

The group collects knowledge for a selected function and solely makes use of it for that function.

In accordance with the GDPR precept of function limitation, controllers should have an recognized and documented function for accumulating knowledge. The controller should talk this function to customers on the level of assortment, and it may solely use the information for this named function.

The group solely collects the minimal quantity of knowledge essential.

Controllers can solely acquire the minimal quantity of knowledge essential to meet their said function.

The group retains knowledge correct and updated.

Controllers should take affordable steps to make sure the private knowledge they maintain is correct and present. 

The group deletes knowledge when it’s now not wanted.

The GDPR requires strict knowledge retention and deletion insurance policies. Corporations can solely preserve knowledge till the required function for accumulating that knowledge has been fulfilled, and so they should delete the information as soon as they now not want it.

The group takes additional precautions when processing kids’s knowledge or particular class knowledge.

Controllers and processors should apply extra protections to sure kinds of private knowledge.

Particular class knowledge consists of extremely delicate knowledge like an individual’s race and biometrics. Organizations can solely course of particular class knowledge in very restricted circumstances, reminiscent of to forestall critical public well being threats. Corporations may also course of particular class knowledge with the topic’s specific consent.

Legal conviction knowledge can solely be managed by public authorities. Processors can solely course of this info at a public authority’s course.

Controllers should receive a father or mother’s consent earlier than processing kids’s knowledge. They have to take affordable steps to confirm the ages of topics and the identities of fogeys. If accumulating knowledge from kids, controllers should current privateness notices in child-friendly language.

Every EEA state units its personal definition of “little one” below the GDPR. These vary from “anybody below the age of 13” to “anybody below the age of 16.” 

The group paperwork all knowledge processing actions.

Organizations with greater than 250 staff should preserve information of knowledge processing. Organizations with lower than 250 staff should preserve information in the event that they course of extremely delicate knowledge, course of knowledge usually or course of knowledge in a approach that poses a big threat to knowledge topics.

Controllers should doc issues like the information they acquire, what they do with that knowledge, knowledge movement maps and knowledge safeguards. Processors should doc the controllers for which they work, the kinds of processing they do for every controller and the safety controls they use.

The controller is in the end chargeable for guaranteeing compliance. 

Underneath the GDPR, final duty for compliance rests with the information’s controller. This implies the controller should guarantee—and have the ability to show—that its third-party processors meet all related GDPR necessities. 

Information topics’ rights

The GDPR grants knowledge topics sure rights over their knowledge. Controllers and processors should honor these rights.

The group affords knowledge topics simple methods to train their rights.

Organizations should give knowledge topics a easy technique of asserting their rights over their knowledge. These rights embrace:

• The precise to entry: Topics should have the ability to request and obtain copies of their knowledge, in addition to related details about how the corporate makes use of the information.

• The precise to rectification: Topics should have the ability to appropriate or replace their knowledge.

• The precise to erasure: Topics should have the ability to request deletion of their knowledge. 

• The precise to limit processing: Topics should have the ability to limit how their knowledge is used if they think the information is inaccurate, now not essential or being misused. 

• The precise to object: Topics should have the ability to object to processing. Topics who’ve beforehand granted their consent should have the ability to simply withdraw it at any time.

• The precise to knowledge portability: Topics have the proper to switch their knowledge, and controllers and processors should facilitate these transfers.

Usually, organizations should reply to all knowledge topic entry requests inside 30 days. Corporations should sometimes adjust to a topic’s request except the corporate can show it has a legit, overriding cause to not.

If a company rejects a request, it should clarify why. The group should additionally inform the topic attraction the choice to the corporate’s knowledge safety officer or the related supervisory authority.

The group affords knowledge topics a solution to contest automated selections.

Underneath the GDPR, knowledge topics have a proper to not be sure by automated decision-making processes that would have a big impression on them. This consists of profiling, which the GDPR defines as utilizing automation to judge some side of an individual, reminiscent of predicting their work efficiency.

If a company does use automated selections, it should give knowledge topics a solution to contest these selections. Topics may also request {that a} human worker evaluation any automated selections that impression them.

The group is clear about the way it makes use of private knowledge.

Controllers and processors should proactively and clearly inform knowledge topics about knowledge processing actions, together with the information they acquire, what they do with it and the way topics can train their rights over knowledge.

This info should sometimes be communicated by way of a privateness discover offered to the topic throughout knowledge assortment. If the corporate doesn’t acquire private knowledge immediately from topics, privateness notices should be despatched to the topics inside a month. Corporations may additionally embrace these particulars in privateness insurance policies which are publicly accessible on their web sites. 

Information privateness and safety measures

The GDPR requires controllers and processors to take steps to forestall the misuse of non-public knowledge and shield knowledge topics from hurt.

The group has carried out acceptable cybersecurity controls.

Controllers and processors should deploy security measures to guard the confidentiality and integrity of non-public knowledge. The GDPR doesn’t require any specific controls, nevertheless it does state that corporations should undertake each technical and organizational measures.

Technical measures embrace know-how options, reminiscent of identity and access management (IAM) platforms, automated backups and data security tools. Whereas the GDPR doesn’t explicitly mandate encrypting knowledge, it does advocate that organizations use pseudonymization and anonymization wherever doable.

Organizational measures embrace worker coaching, ongoing risk assessments and different safety insurance policies and processes. Corporations should additionally observe the precept of knowledge safety by design and by default when creating or implementing new methods and merchandise.

The group conducts knowledge safety impression assessments (DPIAs) as required.

If an organization plans to course of knowledge in a approach that poses a excessive threat to the rights of topics, it should first conduct a knowledge safety impression evaluation (DPIA). Sorts of processing that would set off a DPIA embrace automated profiling and the large-scale processing of particular classes of non-public knowledge, amongst others.

A DPIA should describe the information getting used, the supposed processing and the aim of the processing. It should determine the dangers of processing and methods to mitigate these dangers. If vital unmitigated threat exists, the group should seek the advice of a supervisory authority earlier than shifting ahead.

The group has appointed a knowledge safety officer (DPO) if required.

A corporation should appoint a knowledge safety officer (DPO) if it screens topics on a big scale or processes particular class knowledge as a core exercise. All public authorities should appoint DPOs as nicely.

The DPO is chargeable for guaranteeing the group stays GDPR compliant. Key duties embrace coordinating with knowledge safety authorities, advising the group on GDPR necessities and overseeing DPIAs.

The DPO should be an unbiased officer who studies on to the best degree of administration. The group can not retaliate towards the DPO for performing their duties.

The group notifies supervisory authorities and knowledge topics when knowledge breaches happen.

Organizations should report most personal data breaches to the related supervisory authority inside 72 hours. If the breach poses a threat to knowledge topics, the group should additionally notify the topics. Organizations should notify topics immediately except direct communication can be unreasonable, during which case a public discover is appropriate.

Processors that endure a breach should notify the related controllers with out undue delay.

If situated exterior the EEA, the group has appointed a consultant within the EEA.

Any firm exterior the EEA that usually processes EEA residents’ knowledge or processes notably delicate knowledge should appoint a consultant inside the EEA. The consultant coordinates with authorities authorities on behalf of the corporate and acts as the purpose of contact for GDPR compliance issues.

Information transfers and knowledge sharing

The GDPR units guidelines for the way organizations share private knowledge with different corporations inside and outdoors the EEA.

The group makes use of formal knowledge processing agreements to control relationships with processors.

A controller can share private knowledge with processors and different third events, however these relationships should be ruled by formal knowledge processing agreements. These agreements should define the rights and tasks of all events with respect to the GDPR.

Third-party processors can solely course of knowledge in response to the controller’s instructions. They can’t use a controller’s knowledge for their very own functions. A processor should receive approval from the controller earlier than sharing knowledge with a sub-processor.

The group solely conducts authorized knowledge transfers exterior the EEA.

A controller can solely share knowledge with a 3rd celebration situated exterior the EEA if the information switch meets at the least one of many following standards:

• The European Fee has deemed the information privateness legal guidelines of the nation the place the third celebration is situated to be satisfactory.
• The European Fee has deemed the third celebration to have satisfactory knowledge safety insurance policies and controls.
• The controller has taken all of the steps essential to make sure the safety and privateness of the information being transferred.

Discover GDPR compliance options

GDPR compliance is an ongoing course of, and a company’s necessities can change because it collects new knowledge and engages in new sorts of processing actions.

Information safety and compliance options like IBM Safety® Guardium® can assist streamline the method of reaching—and sustaining—GDPR compliance. Guardium can mechanically uncover GDPR-regulated knowledge, implement compliance guidelines for that knowledge, monitor knowledge utilization and empower organizations to reply to threats to knowledge safety.

Learn more about IBM’s suite of data security and compliance products.