When preparing for the General Data Protection Regulation (GDPR)deadline, the following checklist is a helpful guide for each participant that processes personal data from the EU.
Assess whether the method for obtaining customer consent is compliant
This is especially necessary if your organization relies on consent to legitimize data processing activities. First, the consent language must be clear and plain. “Legalese” language that is only understood by attorneys who can argue many sides is no longer acceptable. Second, a person must act to give consent. Pre-ticked boxes and silence are no longer considered a valid form of consent and are outside the rules of the EU GDPR.
Check that you have mechanisms in place to honor data subject rights, including the right for data to be erased
A person can request that personal data be erased then, subject to certain exemptions, personal data relating to that individual should be deleted. This includes links to and copies of data – which means a system of notification to partner organizations and data processors is necessary.
Be ready to deliver personal data to individuals
In certain circumstances, individuals can request that a complete download of their personal data be delivered in a format that is easily compiled and transferable. They also have the right to request that information be transferred to a similar company or partner company.
Examine data breach notification measures
The GDPR outlines a mandatory data breach notification regime. If a data breach puts the rights and freedoms of individuals at risk then a notification must be issued without undue delay and no later than 72 hours after an organization became aware of the breach.
Obtain parental consent for information services offered to a child
New to the EU data protection laws is the inclusion of children in the GDPR. Explicit parental consent for children under sixteen must be obtained for all information services involving children. It should be noted that some member states may adjust the age to children under thirteen, but the GDPR will require consent for all children.
Transparency is key
The aims of the GDPR are to remove any veils covering personal data, put greater power into the hands of individuals, and enforce higher consequences when personal data is put at risk. Losing customer trust and loyalty aren’t the only consequences for companies when it comes to poor data protection. Being negligent with data puts an organization at risk of heavy fines, a loss of loss of reputation and brand, and a suspension of data processing in the EU.