By now we would hope that you have a good understanding of the fundamentals of GDPR, but what next? We have put together a GDPR compliance checklist which includes 10 steps to get you jump-started in the right direction for your Lincolnshire business.
But before we begin, you will need to designate a GDPR resource in the company who will lead the project. Our expert Lincolnshire team provide GDPR training, or alternatively you may want to outsource this role to our GDPR consultants.
- Know what data you collect, hold, share and store, including cloud applications that are processing or storing your data. This will usually involve performing a data inventory.
- Remember that GDPR is bigger than just Personally Identifiable Information (PII). Personal data includes online identifiers including cookies, location data, and sensitive data such as race, political views and biometric data.
- Collect only necessary data on your customers.
- Limit processing of ‘sensitive’ data such as race, ethnicity, political views, and religion. Remember that you still need to obtain consent if collecting any of this data.
- Review and update agreements with all data processors and third parties (where applicable).
- Conduct or respond to inspections and audits of data processors either directly or through an external auditor. To ensure GDPR compliance in Lincolnshire.
- Make sure processors only use personal data for the designated purpose. If you are a data processor, make sure you process data only for purposes you have agreed upon in the contract, and for which consent was provided.
- If you work with a sub-processor, make sure that you have the appropriate agreements and notices in place to do so.
- Ensure security measures are in place for both data controllers and processors to protect personal data from loss or unauthorised processing. Here are some essential points to review:
– Does the vendor have a well defined and clear access control policy?
– Who can access your company’s data and when? Is this access tracked?
– Does the vendor have a designated person responsible for security and data protection?
– How does the vendor secure data?
– What is the company’s data retention policy?
– For data that is to be deleted, you need to ensure that data is not copied and located in multiple places.
– You also need to have a record to ensure this data has been deleted as required.
- At the end of the service term (and if requested by the controller), the processor must delete or return all the personal data to the controller. They must also delete all existing copies (unless the EU law requires storage of the personal data). Processors can request an inspection to ensure that this has been done.
We hope you have found this GDPR compliance checklist useful, if you require any help at all with GDPR compliance in Lincolnshire, please contact us on email@example.com, or call on 07878 045252.