The deadline for GDPR compliance has passed! Make sure your organization is GDPR compliant with a comprehensive checklist. If you’d like a printable PDF of this checklist, please fill out the form at the bottom of the page.
Plan
1. Determine if you are covered under GDPR »
Are you under 250 personnel or are solely invested in national security concerns? If you answered yes to either GDPR does not apply.
2. Determine which supervisory authority is the right one »
This aligns with how your organization looks to implement governance and controls around Personally Identifiable Information (PII).
3. Develop GDPR governance/management program »
- Technology, processes to budget, as well as supervisor agent reporting and board reporting
- Develop and maintain a Privacy Program that contains documented procedural and technical controls, alignment with exiting security controls. Data retention guidelines per PII Type. Program Continuous Monitor processes and guidelines.
- Identify if the type of information or the method of collecting information warrants a Privacy Impact Statement (PIA).
- If a PIA is warranted, provide detailed systems and process documentation on how the information is processed, and stored.
- If a PIA is warranted, develop method to interact with effected persons (like a focus group) to collect information on the value vs the risk of collecting PII.
- For PII data exchanges have guidelines for technology, shared accountability and shared liability
- Know what member state regulations and exmptions apply (ie National Security and Law Enforcement designated information)
4. Identify a Data Protection Officer »
The amount of PII, how the PII is collected, how the PII is used, and the size of the business are limiting factors to how many other duties a Data Protection Officer (DPO) can take on. Make sure that contact information for the DPO is published and the supervisory authority has the DPO’s contact information.
5. Identify subordinate DPOs »
This is critical if dealing with multiple supervisory agents. The path of communications and reporting needs to be consistent to support auditability. Make sure that non-primary supervisory agents have the published contact information for the DPO and their associated subordinate DPO.
6. Build a plan for dealing with multiple territories »
How will information be relayed between DPO and subordinate DPOs? Identify any additional member state regulations that might apply.
7. Identify legal counsel to support GDPR assets »
Focus on risk reduction versus pure compliance. GDPR is a risk reduction exercise just like information assurance. A low risk approach to compliance requires you to bury all of your PII processing technology under a bridge and only take cash for payments.
8. Develop GDPR training program »
GDPR is about a system of privacy protections for individuals. Make sure that people and processes are accounted for and not just the technology they use.
9. Identify processors »
Note that processors have liability (on a narrower focus) like controllers do. Determine responsibility for which services the processor is liable for in regards to PII. Determine responsibility for which services the processor is liable for that share PII in an extra-group agreement. Determine responsibility for which services the processor is liable for that remove PII.
Execute
10. Implement and document technology for pseudonymisation for PII (privacy by design) »
Use technology to encrypt, hash, or tokenize information associated with PII. Encryption based controls need to trace to least privilege and organizational policy for data retention. Controls for psuedonymisation need have controls for data exchange with other organizations.
11. Implement and document technology and processes for data subject transparency and access (privacy by design) »
Provide technology that can audit and log information. Provide technology that can provably remove PII per valid request and provides log correlation to PII creation, retention, and removal. Capabilities for data subject transparency and access need traceability for personal data export. Implement data retention controls that remove PII once it is no longer operationally or legally required. Provide security controls, such as digital signature or hashing functions to mark protested data and demonstrate that is has not been altered during the protest.
12. Implement and document controls for PII data protection that enact least privilege (privacy by design) »
Look for fine-grained access controls that can make authorization to data utilization. Controls for data exchange need to expose only information required by the outside entity.
13. Execute privacy impact assessment (if required) »
Assess the reasoning for PII collection, assess the value of collected PII versus the risks of not having it with affected persons. Have artifacts available when referring to a supervisory authority (this is for high risk situations).
- Example 1: System that uses new technology to interact with individuals that could result in a data breach.
- Example 2: An organization that is likely to be targeted in a cyber attack (cybersecurity firm, insurance provider, etc.)
- Example 3: High risk of loss of PII, if a Data Breach has occurred, this is a PIA congruent with contingency planning
Demonstrate Alignment between Data Breach response and PIA
14. Implement and document technology to demonstrate legal consent for collection of privacy information »
This includes safeguards for minors (per jurisdiction 13 in the UK and Ireland, 16 throughout most of the EU). Provide information on how information is processed in a manner that can be easily understood and conveyed to individuals with visual, auditory, or other disabilities. Think Section 508 of the ADA. Provide for showing customers your organizations external privacy policy for customer information. For web applications, either do not use cookies or have a method to allow for customer consent. Provide justification to customers on why collecting PII is required per use (processing) of the PII (ie. to reduce risk of fraud, reduce the cost of the service, reduce risk in providing a service). Have customer facing technology in place that keeps audit records of personal providing PII providing consent for PII being used. Tools that demonstrate non-repudiation such as issued tokens, certificates, and other MFA technology are beneficial.
15. Implement and document technology and processes that demonstrate GDPR compliance (privacy by design) »
Implement solutions such as SIEM or other platforms with audit reduction based on the provenance and disposition of PII. Implement processes for PII-intensive organizations such as HR that protect PII information. Implement solutions such as DLP and encryption services to protect PII that can directly tie into the broader GDPR audit enterprise. Monitor the organizational perimeter for BYOD, outbound information, as well as outside social media concerns. Data protections for whistle blowers and other irregular business activities.
Monitor
16. Provide continuous monitoring of GDPR technical controls and processes »
Develop audit views that show state of processing assets, states of data sharingtransfer assets, and of protest status and outcomes. Develop integrated auditing views of systems security with PII controls.
17. Audit PIA operations and outcomes »
Provide documentation for PIA efforts and actions from the PIA. Be able to justify actions (or no action) based on PIA results.
18. Maintain communications compliance with supervisory authorities »
Provide reporting that shows requisite communications with supervisory authorities. Provide reporting that shows details communications with supervisory authorities as part of data breach response activities.