Checklist of what you need to do
This is a short overview of some the items you need to address for your organisation. You should consult the Data Commissioners website for more details. You can download a definitive checklist from the Data Commissioner’s website here
You have to ask yourself a number of questions in relation to the collection, storage and use of data:
What personal data do we collect and process?
List the categories of data subjects and personal data collected and retained e.g. current employee data; retired employee data; customer data (sales information); marketing database; CCTV footage.
How did we obtain it?
Did the data subject sign up to a newsletter. Are they an existing customer governed by our contract in which case consent may not be required.
Did you get consent?
Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
Why was it originally gathered and Why are you holding it?
Are you recording the basis of recording the data and is that basis still relevant at this stage.
When will you get rid of it. How long will you retain it for?
Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
Do you have a policy for keeping the data up to date and have you defined the timeframe and criteria for getting rid of data.
Do we have a defined policy on retention periods for all items of personal data, from customers, prospects and employee?
How secure is the Data, both in terms of encryption and accessibility?
Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption be required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose? Who in our organisation has access to the data?
Are our staff trained in all relevant areas GDPR policy to ensure they handle data in a compliant manner?
Are our Technical or Security staff aware of their obligations under the GDPR and do they have sufficient resources to implement any required changes or new processes?
Keeping the Data within the EU
Are we transferring any personal data outside the EU and if so, do we have the required adequate protections in place?
Procedures for Requests under GDPR
Do we have procedures in place to handle requests from data subjects to modify, delete or access their personal data? Do we have procedures to anonymise data if we are asked to do so by a data subject? Do these procedures comply the new rules under the GDPR?
Contracts with third parties
In cases where our third party vendors are processing personal data on our behalf such as online accounts systems or CRM system have we ensured our contracts with them have been updated to include the processor requirements under GDPR?
The data on the MindaClient GDPR web pages is not intended as a legal interpretation of GDPR regulation and should not be relied upon as legal advice.
It is intended
- To provide information
- To outline what MindaClient can do to help you become GDPR compliant
- To outline how MindaClient is complying with the GDPR regulationsYou are advised to seek your own legal advice and to consult with the Data Commissioners website.