GDPR goes into effect in just a few days, and while your company has probably been working for months (or more) to be compliant with this groundbreaking new regulation, here are five items that should be at the top of your last-minute GDPR checklist.
Map your data
Article 30 of the GDPR requires data controllers and processors to have a record of processing containing certain high-level attributes (e.g., purpose of processing, a description of categories of data subjects and categories of personal data, etc.). However, a more detailed data map, consisting of information about specific data elements and how they flow between different entities, IT applications, vendors, etc. throughout the course of a processing activity, will be essential to meeting many other GDPR requirements, such as breach notification and fulfilling data subject rights. Thus, not having a data map in place will make life more difficult when having to respond to a personal data breach, or a data subject request.
Additionally, having a data map will help you to solidify your understanding of the scope of GDPR as it applies to your organisation. In other words, knowing which of your organisation’s processing activities are subject to the GDPR, and which that are not, can help you prioritize your compliance efforts—in particular if you are behind the eight-ball as we approach 25 May.
Document your legal bases
Article 6 of the GDPR allows for lawful processing of personal data under one of six different legal bases. Therefore, at a minimum, data controllers need to identify and document their legal bases for all processing activities that are subject to the GDPR; and doing so will also help in other areas as well.
For example, where a data controller is relying on consent to process personal data, they will need a way to request and obtain consent, manage records of those consents, and provide a withdrawal mechanism. Similarly, where a data controller chooses to rely on legitimate interests as their legal basis, they will need to document their analysis of the organisation’s interests weighed against the interests of data subjects. Lastly, relying on consent or legitimate interests as legal bases can open the door to the exercise of certain data subject rights, such as the right to erasure and right to object.
Update your privacy notice
Articles 13 and 14 of the GDPR require certain information to be provided to data subjects about the processing of their personal data (e.g., the contact details of the data protection officer, the purposes of processing and legal basis, recipients of personal data, etc.). The information provided needs to be concise, easily accessible and easy to understand, using clear and plain language. In other words, avoid legal and technical jargon, and think about what the average data subject in your audience would understand. Layered and/or just-in-time notices can also be implemented to assist in informing data subjects.
Moreover, data controllers will need to bring their updated privacy notice to the attention of data subjects (e.g., via email, letter, pop-up, etc.).
Facilitate data subject access requests
Article 12 of the GDPR requires data controllers to “facilitate the exercise of data subject rights” (e.g., the right of access, right to erasure, right to data portability, etc.). Specific requirements exist with respect to each of these rights; however, general overall obligations exist as well, including fulfilling requests within one month of receipt, providing information by electronic means where possible, and notifying data subjects of reasons for delay or denial of requests.
Moreover, Recital 63 of the GDPR suggests that “[w]here possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.” Therefore, you should think about not only your process for handling data subject requests behind the scenes, but also about how you will communicate with data subjects, and transmit their data to them, in a secure manner.
Update your cookie practices
Article 5(3) of the ePrivacy Directive requires that any “storing or retrieving” of information from an end user’s device should be subject to consent unless it is technically necessary to enable the intended communication to take place. Currently, implied consent is enough; however, the GDPR will require consent to be “unambiguous,” which means that simply loading a website’s landing page or scrolling through the page will not be sufficient to establish consent. Instead, consent will need to be freely given, specific, informed, and unambiguous, with withdrawal of consent being as easy as giving it.
Remember, May 25 is not the last day we talk about privacy – it should be an ongoing piece of your business operations. DPOs and business leaders will need to continue to work together when GDPR goes into effect, and beyond.