Data protection checklist

Law firm Hedman has compiled this personal data protection self-assessment questionnaire to help organizations map uncovered activities. The purpose of the checklist is not to provide a complete solution for the protection of personal data, but to draw attention to which processes and activities should be focused on if assurance is to be sought that this topic is managed.

If answers to these questions are NO, then we suggest contacting our Specialist Data Privacy Counsel Andres Ojaver.

Personal data processing is mapped

NO: Carry out overall data mapping to identify which personal data is processed in which data flow (sources, retention, storage, transfer, deletion, access etc.). You can use service providers like GDPR Register to do this.

Records of processing document has been created

NO: The records of processing activities is a GDPR requirement basically for all entities and it must contain information about processing activities (not detailed log-file). Those records are compiled as a result of data mapping and should be also demonstratable to supervisory authority when requested. It is a written overview that mirrors everything that relates to the activities that involve personal data in the entity (data source, legal ground, purpose, data categories, related individuals, retention times, sub-processors, etc). You can use service providers like GDPR Register to do this.

The legal grounds of personal data processing are set

NO: Entity must understand and declare under which legal grounds the personal data processing is carried out, also, how data processing is divided between those legal grounds (legal obligation, contractual obligation, legitimate interest, individual’s consent, public interest, individual’s vital interest). This division between legal grounds should be reflected also in privacy notice and records of processing activities documents.

The purposes of personal data processing are set

NO: In addition to the legal grounds there must also be personal data processing purposes set in the entity. Every data processing activity must have purpose and “just in case” processing is not accepted. Purposes in turn sets the appropriate retention times. Purposes should also be added to the records of processing and privacy policy.

GDPR compliant consents are collected from individuals

NO: First, you should be convinced that consent is the appropriate legal ground in particular case. Do not bind the possibility to sign contract/provide service with consenting to personal data processing. In such case the consent is not voluntary and is not GDPR compliant. If such data processing is not avoidable to sign the contract or provide the service, it means that the consent is not the correct legal ground. The correct legal ground would be contractual obligation and asking for individual’s consent is not needed.

Consent text should be clear and communicate entire activity that follows to consenting. Consent must be withdrawable. Note that the burden of proof of given consent relies on the entity and not on individual.

Privacy Notice is published

NO: Information about personal data processing in clear and plain language must be available for individuals. Most common way of doing this is publicly available privacy notice on entity’s website. Note that numerous requirements apply for this communication in order the privacy policy to be GDPR compliant.

GDPR related rights are granted to individuals

NO: According to law, individuals have the right to request information regarding whether their personal data is processed or not and also copy of their personal data along with purposes, retention times etc. High quality data mapping and thought through individual request process is the fundament of coping with such requests in GDPR compliant way. Note that GDPR also gives list of other individual rights that can be requested from the entity (data portability, deletion, objection etc.).

Internal documentation/policies exist to demonstrate personal data protection implementation

NO: GDPR does not only require processing personal data according to applicable principles but it also requires entities to be able to demonstrate this. This means that you should draft and implement internal policies, employee rules of procedure, data protection and information security policy etc.

Data protection impact assessments (DPIA) are conducted if and where necessary

NO:  Impact assessment needs to be conducted in case you are planning high risk data processing. High risks in this context are described in law and relevant guidelines. Depending on the planned activity, this can be rather complicated and cumbersome task as requirements to correct assessment are quite detailed in GDPR.  

Employees are trained regarding GDPR requirements and data processing activities

NO: Majority of data breaches are caused by human factor. Often accidentally or from low level of awareness. Rising and keeping the level of awareness of employees through training are key factors on creating secure and compliant data processing environment.

Data processing agreements are signed with servise providers/sub-processors + if needed, clauses for peronal data transfers outside EU/EEA

NO: When entity uses service providers related to personal data processing, the entity is still responsible on data protection requirements towards its clients and employees. If service agreements do not include proper data processing clauses, the entity carries the whole risk of service provider data breaches/incidents with entity provided data and claims to service provider can be very difficult. According to GDPR, the entity is liable of requiring GDPR compliance from its personal data related service providers through contractual terms.

Data protection is compiled with risk management

NO: Risk management on systematic level but also on more abstract level in small businesses should also consider the personal data protection topic. As personal data breach can cause financial, regulatory and reputational damage and those risks are possible to successfully mitigate, the risk management and data protection should not be addressed as parallel worlds.

Data protection officer (DPO) is designated if required

NO: It is mandatory to designate internal data protection officer or to buy in external DPO service if the entity is a public sector body or if it is private entity with high-risk data processing activities. It is important to remember that DPO, either internal or external, should be expert on data protection field and there are sufficient guarantees implemented in the organization’s processes and structure for the DPO to be able to fulfil its tasks prescribed in GDPR.

Appropriate information security measures are implemented

NO: Information security is with fundamental importance to personal data protection. You may write policies but when doors are not closed and systems does not have access management, the policy will be useless. The higher the risk related to data, the higher level of information security should be implemented. Systematic approach is important. Starting from the decisions of how much data needs to be collected and whether some of the purposes could be achieved through anonymized data. Also, who can access the data and what is the readiness of coping malicious attacks on data.

You should also consider creating and implementing information security internal policy for employees.

Incident/data breach management process and supervisory authority notification process is implemented

NO: It is very important to, as quickly as possible, identify information security and personal data breaches and to address those through impact localization and fixing the root cause. On more serious cases, the mandatory notification to data protection authority and to affected persons also applies according to GDPR. The key to successfully resolve data breach/incident is high awareness level among employees, internal policy of how to act when incident has happened (process) and quick response with relevant measures. Every entity must also keep the personal data breach record.    

Hedman

Our memberships:
FinanceEstonia,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum