While the transition is a bit of a hassle, the future are companies that are natively General Data Protection Regulation (GDPR) compliant. So, if you are a startup that has not thought about complying with the GDPR just yet or you have just started out, this checklist is for you!
In general, these are the principles you should always keep in mind when designing or building your organisational structures that relate to your clients, customers, users or employees:
- The right to erasure (the right to be forgotten/deleted from the system),
- The right to restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user)
- The right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
- The right to rectify data (have an edit button for data fields)
- The right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise
#1 Create And Agree With Data Protection Goals
This essentially means that you need to conceptualise, write down and declare your data protection goals. They should incorporate principles of responsible data processing and recording. Once you have them written down, make sure your whole team is aware of them.
#2 Appoint An Internal Data Protection Officer (DPO) With No Conflict Of Interest
This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation. If you’re too small in numbers, you might not need a DPO officially. But someone should still take care of it.
#3 Create A Compliant Cookie Policy
It has been enough till now to display that common “we use cookies” warning, however, the GDPR changes that. From the GDPR perspective, cookies essentially means you are collecting user data and need to make sure that you have legal grounds for it. So, if you are building your website from scratch make sure your website’s use of cookies and online tracking is compliant with the GDPR.
#4 Create Your Privacy Policy
Your privacy policy should aim to include the data you collect, what the legal basis of it is and how exactly you are ensuring that it is protected through all the processes it goes through. Example of short form of Privacy Policy
#5 Add The Following Features
- Consent box and record with it the Privacy Policy version (Article 7)
- Have double opt-in on your newsletter, lead magnets & sign up (Article 7)
- Right of access feature (I want to access all my data i.e. export & import feature) (Article 15)
- Right to edit or modify user data feature (Article 16)
- Automatic deletion or provide a timeline for deletion of the data feature to your users (Article 17)
- Right to delete or forget user feature (Article 17)
- Right to object the processing & profiling feature (Article 21 & 22)
- Right to stop automated profiling (Articles 18 & 23)
#6 Create Records Of Processing Activities (RPA) & Maintain Them
If you have your RPA, you can follow through with steps of collection and processing of data as well as dealing with Data Subject Requests (customers) quite effectively.
#7 Ask Your Third-Party Vendors To Be Compliant
This includes basically every software, service or tool that you are using. You need to ensure that you have Data Protection Agreements (DPAs) with all your vendors. As a Controller, you should only work with Vendors who ensure compliance in terms of expert knowledge, reliability and resources, to implement technical and organisational measures that will meet the requirements of the GDPR.
#8 Organisational Initiatives
- Educate your team about the privacy and data protection
- Physical access to your office should always be protected with keys
- Laptop and other devices of the staff should be sufficiently protected to avoid data leaks of customers
#9 Sales & Marketing
- Get consent in all your marketing activities including contact forms and record it
- Inform customers about all the tools you are using and that impacts them. These tools would include Customer Relationship Management Systems (CRM), analytics tools and any others that come into contact with your customers’ data
- Always have an opt-out button
#10 Human Resources (HR)
Have different level controls for each staff. Not everybody should have access to all the systems and data you have on your employees. Make sure this restriction is embedded in the legal requirements.
“ECOMPLY: GDPR for Software for SMEs and Data Protection Officers. ECOMPLY is a GDPR documentation software that gives you peace of mind, guidance and reduces your risk of liability.
They have a 14-day free trial to test the software based on your needs. They make GDPR complicated document easier and simpler.Click here for a free trial of this impressive Software Service https://app.ecomply.io/registration“
