GDPR has now been around for over half a decade and has been largely successful in boosting public and corporate awareness of data privacy. With this greater awareness comes an increased expectation of companies to comply.
As a result, we have witnessed the issuing of GDPR fines ramp up in recent times.
€2.9bn in fines was issued across the EU in 2022 and high-profile cases were taken up against the likes of Meta in Ireland.
With that in mind, we thought it would be a good time to recap on GDPR and provide a useful GDPR Compliance Checklist.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation by which the European parliament intends to strengthen and unify data protection for all individuals within the European Union. The regulation came into effect on the 25th of May 2018.
It defines how organisations should handle the personal data of individuals within the EU. It provides guidelines for the collection, processing, and use of personal data, while also empowering individuals with specific rights and control over their personal data.
What is considered personal data under the EU GDPR?
GDPR defines personal data as information that pertains to a natural person who can be identified or is identifiable.
This broad definition covers various data types such as names, addresses, identification numbers, online identifiers, and location data.
In addition to these, the GDPR also includes personal data that is specific to an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
Essentially, any data that can be used to identify an individual falls under the category of personal data and must be handled in accordance with GDPR.
To whom does GDPR compliance apply?
Any business or organisation that handles the personal data of EU citizens, regardless of whether they are based in the EU or not, is subject to GDPR.
This includes companies, non-profits, and government agencies, as well as individuals who process personal data for business purposes and third-party service providers, known as data processors, who handle personal data on behalf of such entities.
What are the penalties for non-compliance?
There are two tiers of GDPR fines based on the severity of the infringement.
Less severe violations may lead to a penalty of either €10 million, or 2% of the organisation’s global annual revenue from the prior fiscal year, whichever is greater.
More serious violations that contravene the fundamental principles of GDPR could result in a penalty of either €20 million, or 4% of the organisation’s global annual revenue from the prior fiscal year, whichever is greater.
For more information on GDPR fines and penalties, click here.
2023 GDPR Compliance Checklist
Through efforts to ensure GDPR compliance, businesses can establish more effective information security measures to protect personal data.
The below checklist for GDPR compliance is designed to aid businesses in assessing their compliance level and achieving GDPR compliance in 2023.
Please note that this is not an exhaustive list and does not guarantee compliance, but rather a useful guide on what is recommended.
1. Understand GDPR and the Data your Business Collects
Before a business can assess its level of compliance, it must first attain a thorough understanding of GDPR and all of the data that flows through the organisation.
Start by conducting an information audit to determine what data you process and who has access to it.
According to GDPR.EU, your information audit should highlight:
- Purposes for which the data is processed
- The people who can access it within your organisation
- Any third parties that can access it, along with their location
- Measures you are taking to safeguard the data
- A timeline for data erasure
Upon completion of the information audit, you should have a comprehensive overview of the data your business collects.
It should also make obvious the areas that need attention to ensure compliance. For example, areas where the security of personal data is at risk of unauthorised access or data breaches.
2. Update your Data Privacy Policy
A data privacy policy outlines the methods by which you gather, utilise, and disclose personal information.
It is imperative that your privacy policy is kept up to date at all times and is easily accessible to all.
An out-of-date privacy policy may not accurately reflect how data is being handled, which could result in non-compliance with GDPR.
To be GDPR compliant, your privacy policy must communicate clearly and concisely to your customers about how their personal data is being used, and inform them of their rights under GDPR. For example, the right to be forgotten.
The information in a privacy policy must be presented…
“…in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”
– GDPR.EU
It is also crucial to keep an updated cookies policy on your website as cookies are a type of personal data collected from website visitors. For more information on cookies and how to use them in a manner that is compatible with GDPR and the ePrivacy Directive, click here.
3. Appoint a Data Protection Officer
If mandated by GDPR, an organisation must appoint a Data Protection Officer (DPO) to oversee its compliance.
Under GDPR, an organisation is required to appoint a DPO in any of the following circumstances;
- The data is being processed by a public body
- The organisation is involved in the systematic monitoring of individuals and collects and processes data on a large scale
- Special categories of data are being processed
In any case, the DPO should have the relevant proficiency to ensure compliance and should function independently.
Even if it is not explicitly mandated for your business under GDPR, appointing a DPO can be an immense source of value.
They can provide expert guidance and training, and work to create a culture of data protection and compliance throughout the business.
4. Establish a Procedure for Quickly Reporting Breaches
GDPR states that data breaches must be reported within 72 hours. Thus, establishing a process for quickly reporting incidents is essential.
Having an effective protocol for reporting breaches also helps to reduce the negative impact of such incidents.
The reporting process should incorporate a comprehensive strategy for evaluating the extent and gravity of the breach, recognising the individuals whose data has been compromised, and implementing appropriate measures to prevent further damage.
5. Prioritise Staff Training & Awareness
Staff awareness and training are absolutely essential to maintaining GDPR compliance.
It is reported that 95% of cybersecurity breaches occur as a result of human error.
Additionally, the widespread adoption of remote and hybrid working models has made it more difficult for organisations to protect data.
Businesses should take every step necessary to limit the risk of data breaches caused by human error.
This includes investing the time and resources required to educate employees on the value of data protection, the fundamental principles of GDPR, and how to adhere to the policies your organisation has put in place to ensure compliance.
Achieve GDPR Compliance with Radius
At Radius, we have a dedicated GDPR compliance team ready to help your organisation achieve compliance and avoid crippling penalties.
Our process is simple!
- We conduct a compliance review
- We offer and implement a data protection strategy
- We provide an actionable GDPR report
Learn more about our GDPR compliance services here.
We hope you found our ‘2023 GDPR Compliance Checklist’ useful. Why not check out some of our other articles here?
Lastly, follow Radius Technologies on LinkedIn and never miss an update!
