Speaker 1: In this video, I'm going to give you my 12-step GDPR compliance checklist. This can go a long way in helping you check and ascertain whether you are compliant with GDPR and have fulfilled the key requirements. My name is Puneet Bhatia and I'm the founder and CEO of a company called Fit for Privacy. We help you with privacy strategy, its implementation and training for your staff. Before we start, please do click like and comment so that we can notify you of the new videos that come up. Your support matters. Coming back to the GDPR compliance checklist. So 12 steps to GDPR compliance. Step one being data inventory. Data inventory means you have created a map of a view of all the data elements that you process, what personal data you collect, what you process, where does it go, who is it shared with and how is it protected. Look at it like inventory in a manufacturing unit, that is stock of what all is existing in a company. And here, since it's about data, we call it data inventory. If you have created a data inventory, sometimes also called records of processing activity by some people, because that's how GDPR defines it. If you have created it, one step tick, you have a data inventory, one step forward. Now, the second thing data expiration. So in EU GDPR, you cannot keep and also the UK GDPR, you cannot keep personal data any longer than it is necessary. That means, after the data has completed the purpose of processing, it must be deleted. If I had subscribed to your newsletter, you have the right to keep my data. But if I have unsubscribed from the newsletter, you have no reason to keep data forever. And this, how long you should keep your data is a business decision plus a legal decision. Now, you and your company need to have an approach on how long you keep the data, and when you expire it once a customer is no longer your active client. Do you have this? If you have this approach, second item tick, that is, you have a data expiration or data retention or data deletion approach. Of course, I know it is challenging, because in the modern world, there is a soft delete, hard delete and so many possibilities. But data expiration approach is a must. The third thing, so you've done two things data inventory and data expiration. The third thing is consent. This means when you collect consent, you tell them what is it for, you don't bundle it. And you explain it in a simple and plain language while allowing them to withdraw their consent. How do you do it? And what do I mean by bundled? I mean, if I'm subscribing to your newsletter, that is one purpose. But if I subscribe to your event, then it's another purpose. So when I'm subscribing for an event, and you start sending me newsletter, that is a strict no because it's a bundled consent. You can always ask me if I need consent. Coming back to the checklist, consent, if you have asked that is while allowing for the ability for individual to withdraw his or her consent, that's a third tick consent done. The fourth element in context of this checklist is individual rights. Individuals that is people whose personal data you process, maybe your employees, maybe your customer, maybe your prospect, maybe your supplier have the rights to ask you for right to information, right to access, right to deletion and so on. Have you put in a process wherein individuals can exercise their right and can you answer those rights within 30 days? If you have done that, that's a good job done. The fourth item that is individual rights is tick that is you put in a process for individual rights. Fifth item is data transfers. In the modern world, data flows and in the data economy, data also travels across countries. But you need to make sure that the personal data that is being transferred is transferred in an adequate manner with adequate security with adequate controls, what kind of controls you put technical controls, you put organizational controls, that's when data is in your company. But when it's transferred, you also put in contractual controls, that is you sign a contract, you add the necessary elements like the data processing agreement, the standard contractual clauses or whatever is needed. If you have made sure that the personal data transfers in your company are adequately protected with adequate safeguards, you have done well to have the fifth item tick. Now the sixth thing, transparency. That means you always inform individuals whose personal data is being processed and you tell them what personal data you collect, why you collect, what you do with it, who do you share it with, how can they exercise their rights and so on. How do you do it? You do it through a privacy notice or a privacy statement. Our US friends sometimes call it a privacy policy. Now if you have done that along with a cookie notice and any other privacy notice at the time of collection of data, that is whenever whichever screen is collecting personal data, you put in a link to the privacy notice. If you have done that, that's the sixth item that is transparency tick. The seventh item is awareness and training. Have you informed, have you trained all your staff that process personal data or deal with personal data to protect it at all times? Have you done that? If you have done that, that is a seventh item tick because legally you must train and make aware all your staff about personal data processing and what you expect from them in terms of protecting personal data. The eighth item is data breaches. You will do all the things that are necessary to protect data but sometimes unintended, unauthorized access to personal data will happen. That is what we call a personal data breach. If that happens, how will you handle it, who will detect it, how will you monitor it and how will you remediate that situation? This is called a data breach process. How do you manage personal data breaches and have you put in the capability to react and respond to these? If you have done that, that this eighth item personal data breach tick and remember in the EU GDPR, you need to respond or you need to notify certain personal data breaches to authorities within 72 hours. So, remember to put that in the process. Now, the ninth thing is data protection impact assessment. When processing involves significant amount of risk to the individual rights and freedoms, then you need to conduct what we call data protection impact assessment, not to be carried out on each and every process but where necessary. If you have put in a process and carried out the DPIA on high risk processes, you have done well. So, that is ninth item tick. The tenth item data protection officer, not everyone needs it but you must check if your company needs it. Data protection officer means a person who is there to oversee the implementation, monitoring and ongoing compliance with EU GDPR. Have you checked your company needs a data protection officer or not? If you have done that, that is a tenth item tick TPO. While you will do these as a project, one time activity, the question is how are these things being done on a continuous basis? How is your staff taking care of it? Is it really happening what you have put in the project? For that, you need a privacy operations team that is a small team which will take care of the ongoing day-to-day requirements, making sure the policy and processes are being followed, answering the ongoing queries and also looking out on any new requirements that need to be complied with. Small companies usually would put in an external consultant like me and say manage it for us on a part-time basis. But large companies would have their own staff, what we call a privacy office. If you have put in a privacy operations team or a privacy team to take care of ongoing basis, the privacy requirements that is advise the business and monitor the compliance on an ongoing basis as well as train them, then the eleventh item privacy operations is a tick. The twelfth item, evidencing or documenting. This is the most important one. If you do all the eleven items and do not do this one, it all goes to zero because GDPR asks for accountability. In fact, all privacy laws ask for accountability. Accountability means you as a company are taking care of compliance with law and can demonstrate it. If you have made a decision, let us say about the DPO and you decided not to appoint a DPO. Five years later, your company has grown and there happens an incident and the authorities ask why did not you appoint a DPO? Two things. One, have you documented that decision? If you have, you can show five years ago this decision was made by this, this, this situation. These people decided and that is how it was made and then the authority would say it is time to review it. But if you are not able to demonstrate, if you do not have an evidence, if you do not have the documentation, then the question is, it is negligence because you cannot prove it and then the risk of fine increases. So, always, always, always document all privacy decisions that your company makes. So, now you have gone through the 12-step GDPR compliance checklist. Let us make a quick summary of it. First was data inventory, that is, you have kept a record of processing activities, that is, what data is being collected, where and when. Second meaning, data expiration, that is, you know how long data is to be kept and after that you expire the data. Delete, anonymize or whatever is needed, the action is taken on the data. The third thing is consent, that is, you ask for consent when necessary and also allow it to be withdrawable and do not process personal data without consent. No consent, no processing. Individual rights, that is, individuals have rights and you have put in a process for exercising those rights. Fifth was data transfer, that is, you put adequate security when data is being transferred between systems and or countries. You put in adequate security. The sixth thing we talked about was transparency, that is, having a privacy notice and a cookie notice on your website. The seventh thing was awareness and training, that is, you make sure your staff knows about data protection obligations and what do they have to do. Eighth thing was data breach, that is, when unintended, unauthorized access has happened, you are able to react, respond and notify authorities if needed. Ninth meaning the data protection impact assessment which you carry out on high risk processes. The tenth being the data protection officer, do you need to appoint one or not make a decision. Eleventh meaning having a privacy operations approach team, whatever is needed. And the twelfth is evidencing or documenting, that is, you document all your privacy related decisions and create an evidence. And if you need the 12 step compliance checklist, this is available in my book, Be Ready for GDPR. In this book, there are many types of checklists which are available and also a simple explanation of GDPR. So thanks for watching. Please do click like, do comment. And if you need to download the GDPR compliance checklist, please click on the link below. If you want to buy the book, the link is also available. Thank you.