GDPR checklist: What you need to know about the new General Data Protection Regulation
As soon as you meet the following criteria, you as an entrepreneur have been obliged since May 25, 2018 to implement the new GDPR in a legally compliant manner:
- You are a contract processor and work with the information you have collected from a client that uses your services.
- You offer services or sell goods within the EU.
- You employ at least nine people whose tasks include data processing.
- You operate a website (or online shop).
You process personal data as part of these activities. The General Data Protection Regulation is therefore necessary in order to optimally protect the information about your customers, employees, and business partners. But the flood of regulations, rules and paragraphs can initially be very confusing and incomprehensible. In our GDPR checklist we answer the most frequently asked questions on this subject. Get an overview of what you need to know in order to comply with the new data protection standards.
What is personal data anyway?
When we talk about the General Data Protection Regulation, we are always talking about the protection of personal data. All companies based in the EU or offering their products or services within Europe are now obliged to do so. Nevertheless, the companies concerned often ask themselves at the outset what the information exactly is:
- Identification numbers
- Bank details
- Location data
- IP addresses
- Political orientation
- Online identifier
- License plates
As soon as it would theoretically be possible for you or third parties to draw conclusions about a person on the basis of the information collected, the stricter guidelines will come into force. For this reason, it is important that you adhere carefully to the individual points of this GDPR checklist. Attention: Remember that this issue is even more important in the health care sector, as highly sensitive data is processed in this area. Are you a doctor? Then we recommend our guidebook “Data protection at your medical practice.”
What will change for you?
In an international comparison, Germany did very well in terms of data protection even before the introduction of the current EU Data Protection Regulation. If you use our GDPR checklist, you will find that you have already done very good preparatory work in some areas. The regulations in Germany have been very strict for many years, but are now being significantly tightened:
- Third countries are also responsible:
So far, companies outside the EU have not been affected by the local regulations. This is now changing. Companies that do not have a registered office in the euro zone must appoint an EU representative. The representative will act as a point of contact for all data protection issues. If necessary, we recommend that if you don’t have a representative in the EU pursuant to Article 27, you compare representatives on our platform.
- More stringent requirements for data systems:
You are obliged to take all necessary technical and organizational measures to protect personal data from unauthorized access. You can find out more in this GDPR checklist under “IT Security.”
- Consumer protection through consent:
Although this was previously necessary, it is now becoming much more important. It is therefore advisable to point this out to your customers again and to obtain their consent to process their data. At the same time, it is necessary that you inform the data subjects of the extent to which you are processing their information.
- Right to be forgotten:
If you do not violate any retention periods, you are obliged to irrevocably delete all personal data upon request.
GDPR checklist: Step by step to more security
Although the new General Data Protection Regulation came into force in May last year, there are still many companies that are not sufficiently equipped. However, the German government is taking a tough stance on this issue. The supervisory authorities are already beginning to audit more and more companies. If you are not sure whether you have really observed all the regulations, this checklist for companies will help you to implement the GDPR and stay in compliance:
Data protection officer
In our GDPR checklist this area is of great importance. This is because a data protection officer is an expert who has dealt intensively with the matter and knows which specifications you need to pay particular attention to.
There are two options available to you: Either you train a person from your company to become an internal data protection expert or you appoint an external expert. Both options have their advantages and disadvantages. We have already listed these for you on our platform in the section “Internal or external data protection officer?”
An officer is required if the following criteria apply to you:
- More than nine people in your company constantly process personal data.
- Processing is one of your core activities.
- The processing promotes an increased security risk for the data subjects.
- The data is highly sensitive data or special categories of personal data are involved (e.g., in health care).
In general, we also recommend that smaller companies appoint a data protection officer. The GDPR topic is extremely extensive – especially for laypersons. A competent expert can help alleviate your concerns and successfully take the necessary measures for you.
Contract processing agreement
This is absolutely necessary as soon as you commission a third party to process your personal data. This is very often the case, for example, when companies outsource certain areas, such as accounting. In the digital age, this also applies to cloud services. If you also outsource structures or processes of your company, you should review this item on the GDPR checklist as soon as possible.
The content of the order processing contract is governed by Art. 28 GDPR. It includes, among other things:
- Duration and purpose of processing
- List of all relevant personal data
- The authority to issue instructions
- The rights and obligations of both the processor and the controller
Particular attention should be paid to accountability. Specify in detail the scope within which personal data may be processed. Only in this way can you guarantee sufficient protection both for the data subjects and for your own company.
Directory of processing activities
You are obliged to document all processing activities in detail. This means that, according to Art. 30 GDPR, you must list why you process personal data, within what framework this is done and how you do it. It is essential that you discuss this point on your GDPR checklist with your data protection officer (if available) or call in an expert.
Attention: This is not a one-off task. You must keep the directory up to date on an ongoing basis. The most relevant points are:
- Name and contact details of the controller
- Type of data
- Purpose of processing
- Data subjects
- Risk assessment
- Legal basis
- Persons with access rights
- Processors working under contract, if any
- Duration of processing
- Data protection measures
As you can see, this task takes a lot of time. Nevertheless, there is no room for error. This is because data protection officers have the right to inspect your records at any time.
If you operate your own website or an online shop, you should read this item from our GDPR checklist carefully. This is because a privacy statement is required on the Internet. This is necessary to inform your users that you are processing personal data. It is imperative that you ensure that the privacy statement is complete. In the worst case you will otherwise receive a GDPR warning.
Attention: Formulate the statement in an understandable way. Otherwise you might be accused of using unclear terms to generate a competitive advantage.
The following points are part of the privacy statement:
- Contact data of the website operator
- Contact details of the data protection officer
- Purpose of processing
- Legal basis
- Storage period
- Right to information
- Data subject rights
If you are profiling through different tools or plug-ins, you must also make it clear that you are doing so.
Data protection impact assessment
This is absolutely necessary if you process sensitive information that involves an increased risk for data subjects. If you conduct a data protection impact assessment, you are required to consult a privacy officer. The data protection officer first checks whether processing is possible.
The GDPR also provides clear guidelines for this point, which we naturally want to share with you in our checklist “Data protection in the company”:
- Description of the processes and their purpose
- Assessment of the existing need
- Proportionality assessment
- Risk assessment
- Corresponding remedial measures
There are no exact specifications regarding the scope. However, we recommend that you exercise the greatest care.
According to Art. 32 GDPR, adequate measures are prescribed to minimize the risk for data subjects. This data protection checklist gives you an initial overview:
- Encryption technologies: These include SSL for your website, S/MIME for your emails, or passwords to open a file.
- Access protection: Ensure that only authorized employees have access to personal data. Secure your server rooms against unauthorized access.
- Employee training: Raise your employees’ awareness of data protection. The highest risk often lies with human resources.
- Certification: There are currently no explicit guidelines as to what this data protection certificate should look like.
Attention: If you should experience a data breach (data breach notification), you are obliged according to Art. 33 GDPR to inform the responsible supervisory authority within 72 hours!
Caution is better than leniency
The General Data Protection Regulation places high demands on European companies. You can see from our GDPR checklist how extensive it is to implement all requirements in compliance with the law. You should therefore definitely take the time to closely examine all items where action is required. Take the time to check all guidelines ahead of time. This is because in the worst case you could otherwise face horrendous fines.