Blue Flower

Checklist

YOUR DATA

  •  

    Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it

    processorcontroller
  •  

    Your company has a list of places where it keeps personal information and the ways data flows between them

    controllerprocessor
  •  

    Your company has a publicy accessible privacy policy that outlines all processes related to personal data.

    processorcontroller
  •  

    Your privacy policy should include a lawful basis to explain why the company needs to process personal information

    controller

ACCOUNTABILITY & MANAGEMENT

  •  

    Your company has appointed a Data Protection Officer (DPO)

    processorcontroller
  •  

    Create awareness among decision makers about GPDR guidelines

    processorcontroller
  •  

    Make sure your technical security is up to date. 

    processorcontroller
  •  

    Train staff to be aware of data protection

    processor
  •  

    You have a list of sub-processors and your privacy policy mentions your use of this sub-processor

    processor
  •  

    If your business operates outside the EU, you have appointed a representative within the EU.

    processorcontroller
  •  

    You report data breaches involving personal data to the local authority and to the people (data subjects) involved

    processorcontroller
  •  

    There is a contract in place with any data processors that you share data with 

    controller

NEW RIGHTS

  •  

    Your customers can easily request access to their personal information

    processorcontroller
  •  

    Your customers can easily update their own personal information to keep it accurate

    processorcontroller
  •  

    You automatically delete data that your business no longer has any use for

    processorcontroller
  •  

    Your customers can easily request deletion of their personal data

    processorcontroller
  •  

    Your customers can easily request that you stop processing their data

    processorcontroller
  •  

    Your customers can easily request that their data be delivered to themselves or a 3rd party

    processorcontroller
  •  

    Your customers can easily object to profiling or automated decision making that could impact them

    controller

CONSENT

  •  

    Ask consent when you start processing a person's information

    controller
  •  

    Your privacy policy should be written in clear and understandable terms 

    controller
  •  

    It should be as easy for your customers to withdraw consent as it was to give it in the first place

    controller
  •  

    If you process children's personal data, verify their age and ask consent from their legal guardian

    controller
  •  

    When you update your privacy policy, you inform existing customers

    controller

FOLLOW-UP

  •  

    You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.

    controller

SPECIAL CASES

  •  

    Your business understands when you must conduct a DPIA for high-risk processing of sensitive data.

    controller
  •  

    You should only transfer data outside of the EU to countries that offer an appropriate level of protection

    processorcontroller
Disclaimer

The information below is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.