This checklist is intended to help organisations make a systematic evaluation of their situation with regard to the main obligations of the General Data Protection Regulation (GDPR). The content is presented as a list of questions that data controllers and processors should answer appropriately when determining their situation with respect to application of the GDPR.
- Is the legal basis of the processing operations you carry out clearly established? Have you documented the way in which you have determined this?
- If any of the processing operations you carry out are based on consent from the data subjects, have you verified that such consent meets the requirements set out in the GDPR? If not, have you determined how to obtain consent in the way envisaged in the GDPR, or have you found another adequate legal basis for these processing operations?
- Is the information provided to data subjects presented in a clear, concise, transparent, intelligible and easily accessible form?Does this information contain all the elements provided in the GDPR?
- Do you have visible, accessible and easy to understand mechanisms for exercising rights? Can rights be exercised electronically?
- Do you have procedures or mechanisms established that enable you to verify the identity of people who request access or exercise other ARCO rights?
- Do you have procedures established that enable you to respond to requests for the exercise of rights within the deadlines set by the GDPR? Have you assessed whether the processors’ assistance is necessary to respond to requests from data subjects? If you consider such assistance to be necessary, do you intend to include this element in the processing contracts?
- In particular, do you intend to put mechanisms in place to attend to the possible exercise of the right to restriction of processing, ensuring that the affected data can be stored without being subject to further processing operations that would otherwise correspond?
- Have you assessed whether the data processing operations you undertake may be the object of the right to data portability? If they are, have you provided for procedures or mechanisms to implement this right and provide the data to the data subject (or to another controller) in a structured, commonly used and machine-readable format?
- Have you considered how to assess whether the processors with which you have contracted or will contract processing operations offer guarantees of compliance with the GDPR where it is applicable?
- Do the processing contracts under which you are currently operating contain all the elements provided for in the GDPR? If not, are you working on adapting them, prior to application of the Regulation?
- Have you assessed the risks the processing operations you undertake entail for the rights and freedoms of natural persons? Have you determined what accountability measures correspond to your risk situation and how you should apply them?
- Have you planned how to establish records of processing activities in your organisation? Have you assessed whether any of the exceptions to this obligation apply to you? Have you considered who should be in charge of keeping these records up-to-date?
- Have you reviewed the security measures that apply to your processing in accordance with the results of the risk analysis? Do you consider you can continue applying the security measures established in the Regulation implementing the LOPD? Have you evaluated the possibility of introducing additional measures according to the type of processing you carry out or the context in which it is done?
- Bearing in mind the type of processing you carry out, have you established mechanisms to quickly identify personal data breaches?
- Have you prepared response measures for the different types of data breach, including procedures to assess the risk they would represent to the rights and freedoms of the data subjects concerned? Have you established procedures to notify data breaches to the data protection authorities and, if applicable, to the data subjects?
- Do you have a register or similar tool in which to document any security incidents that occur, even though these are not notified to the data protection authorities?
- Have you determined whether the processing operations you carry out require a data protection impact assessment because they involve a high risk to the rights and freedoms of data subjects?
- Do you have a methodology for conducting impact assessments?
- In accordance with the type of processing you carry out and the results of the prior risk analysis, should you appoint a data protection officer (DPO)?
- Have you established the criteria to select the data protection officer and, in particular, to assess his or her professional qualifications and expert knowledge?
- Considering the structure of your organisation, does the position of the DPO meet the criteria established by the GDPR with respect to the requirements of independence in the exercise of his or her tasks, situation in the organisational chart, absence of conflicts of interest and availability of necessary resources?
- Have you published the designation of the DPO and his or her contact details, and have you communicated them to the supervisory authority?
- Have you established procedures for data subjects to contact the DPO?
Update:
25.01.2017