We have covered quite a lot in our GDPR series so far. You would be quite forgiven for feeling a little overwhelmed at everything which needs to be accomplished in order to be compliant with the legislation! In order to help you kick start the process and feel confident that you’re up to speed, we have broken down the required tasks into a series of simple steps:
Figure out whether you’re a controller or a processor (perhaps you are both!)
Outline the personal data you process and/or control
List anyone who processes your customers’ data – ensure that they comply with GDPR
Do you need consent or can you rely on legitimate interest for processing that data?
! Remember that you need to ask this question for each separate process !
- If you require consent, how will you acquire it in a compliant manner? E.g. tick box or another type of affirmative action
- How will you record consent?
- Create/refine your process for an individual to withdraw consent
Do you require all the data you collect? If not pare it back
How long do you need to store data for? What do you do when that time expires? Write a document (known as a retention policy) outlining to your customers what you do – e.g. anonymise/delete their data etc.
- Make a list of all the personal data types you store
- Where do you hold this data?
- Define the storage period for each
Is your data stored securely? If not, put the means in motion to ensure your data is secure
- Your business’s contact details
- Reasons for collecting and using personal data
- Any 3rd parties that you work with and what information you pass to them
- Details of your retention periods
- Your customers’ rights (including right to withdraw consent and right to lodge a complaint)