The compliance deadline for the EU's General Data Protection Regulation (GDPR) is around the corner - May 25, 2018.

If you haven't started compliance efforts, this checklist will get you started.

If you have already started, this list can keep your company organized around key big picture items as you finalize documents and processes.

General Data Protection Regulation (EU) 2016/679 ("GDPR")

What. New set of regulations to give EU citizens more control over their personal data.

Who. Any company collecting data from EU residents or doing business with companies that collect data from EU.

Why. Fines equal or greater of €20M or 2%-4% global revenue per violation. Compliance ensures customer retention & growth. All business partners competing in the global marketplace will deem GDPR compliance a standard representation.

When. May 25, 2018

Step One: The Basics

1. Assign two internal GDPR points of contact. There will be real time spent on this project away from their current day-to-day. One POC should be in legal/finance and the other in IT/product.

2. Begin Documentation. Identify and list all company systems that house personal data. Document all data processing activities, including by sub-processors.

Documentation should describe: data collected (data subjects, data categories*, amount of data process/stored, and age of data), location of systems where each data category is stored (map data flows, logistical & physical storage), third parties that data is shared with, employees with access to each specific system (super-users, server access), time limits for erasure of different data categories, purpose/basis for collecting, processing, and retaining data, and procedural and technical capabilities used to access, edit, copy, transfer, and remove data.

*data categories:

standard data - name, email, address, birth date, national identifier

online identifiers - cookies, tags, IP addresses, GPS location data

sensitive data - religious, genetic, biometric, ethnic, political, health, sexual orientation

children data - data from subjects under the age of 16

This part alone is rather time consuming, but it is a key gating item for the rest of the project.

Step Two: Digging Deeper​

1. Definition & Deletion of Data. Define minimum necessary data and delete unwanted data (duplicates, unnecessary backups, excess fields, old records). This is a key tenant of the GDPR - you should obtain only the info you truly need for your business.

2. Update Privacy Notice / Transparency. The policy should transparently describe how the company collects data and for what purpose – concise but 100% complete, using easily understood language.

3. Vendor / Sub-processor Compliance & Data Transfers. List all third parties that receive personal data from you to support your business. Consolidate contracts with data processor vendors and update them to delineate each party’s role as either processor or controller. Update all vendor sub-processor’s security representations and responsibilities to require industry standard security protections, annual audits, and detailed incident response procedures and notice periods.

4. Document your internal data transfers. Get standard documentation from your counsel and make sure all your global entities & subsidiaries are properly accounted for.

5. Privacy Shield - Confirm Registration. Not required but highly recommended - consider registering for Privacy Shield, the certification program that allows for data transfers between the U.S. and EU. It provides an additional, external check on your privacy policies.

6. Data Protection Officer (DPO). Determine if you need a DPO and if that person will be internal or external. Here is more background on the DPO.

Step Two is vital to abiding by the rules of GDPR.

Step Three: Reprogramming Your Product or Service

1. Right to be Forgotten / Data Removal-Edit-Copy. Document business processes & technical capabilities used to locate and delete automated data upon data subject request. Describe how requests are received/processed internally & by processors. The controller determines which parts of the data should be deleted (or retained), and if the processor’s technical capabilities and processes can satisfy removal/edit/copy requests.

2. Data Portability. Document business processes and technical capabilities used to locate all personal data and all transactional information/history. Be able to move the data elsewhere in a machine-readable format.

3. Consent. Document and provide evidence of user OPT-INs to marketing programs (entire opt-in-opt-out history, by date of action). Opt-ins cannot be a pre-checked box or condition of service. Consent must be current and proactively provided.

Step Three is key to addressing specific elements of the GDPR that will likely require changes to your current products and processes. If they cannot be fixed right away, document a plan to remediate and an estimated timeline to completion.

Step Four: Assessing Risks

1. Security. Conduct a security audit of all systems that house personal data. Review security controls and identify gaps that exist while performing the data inventory and documentation described in Step One.

2. Incident Response. Create an incident response process plan & template to share with your employees, processors, controllers, and customers. Include the names and contact information of employees/advisors/attorneys/forensics teams to be contacted in the event of a data breach. Include instructions on which information should be conveyed via phone versus email. Controller must report a breach within 72 hours, regardless of fault.

3. Create a Risk Register. Identify regulatory risks and risks to data subjects, prioritize risks by likelihood of occurrence & cost, perform an assessment of need and proportionality, document technical and procedural risk reduction measures.

Step Five: Housekeeping

1. EU HR Data. If you have any EU employees, apply all the prior steps to your EU HR data. Employee data elements necessary for legal and tax purposes may be held indefinitely. Emails/chat boxes containing personal information may be subject to data subject rights if company did not have a strict policy prohibiting the inclusion of personal data within company devices and software.

2. Employee Training. Conduct and document employee trainings on consent requirements, online marketing practices, and internal procedures for receiving and processing data rights requests/inquiries by data subjects.

3. Vendor Compliance. You'll need to continue to ensure that any contracts with vendors and sub-processors are documented properly, and you will need to develop a process to handle the incoming requests from your clients to do the same.

There is a lot to do. Remembering the fundamentals of GDPR makes it a bit easier: full transparency of your data collection practices and limiting data to what is actually needed and legally obtained.

Good luck!

#GDPR