GDPR Compliance Checklist: How to Be GDPR Compliant in 2023
As we gradually approach the end of 2023. We started the year by reflecting on the areas we anticipated would become focal in 2023 regarding GDPR compliance. And to finish off the year we have written this article, giving you a 2023 GDPR checklist.
This article, rather than looking forward, offers a retrospective glance. I am looking at the significant GDPR compliance highlights of 2023. To make it as tangible as possible, I have put together a checklist to highlight the points I wish to emphasize. This checklist aims to provide a concrete approach to GDPR that you can apply entirely or in part to your work. Use it to verify that you have addressed these areas.
It's important to note that this is not an exhaustive list. It merely pinpoints key aspects related to GDPR legislation. To be fully GDPR compliant, you must still meet the ongoing requirements. This includes creating your records of processing activities. Conducting risk assessments, and planning your annual compliance calendar.
Read more about GDPR-documentation here:
Everything you need to know about GDPR
Are you looking for an overview of your GDPR tasks? Try .legal’s GDPR Compliance Tool For Free!
First, let's clarify what GDPR is to set the context for the checklist. If you're already well-versed in this, feel free to skip ahead.
The GDPR regulation, enacted in May 2018, aims to protect the personal data of EU citizens. To grasp what GDPR encompasses, it's beneficial to break it down into seven fundamental principles:
Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently. Lawfulness requires a legal basis for data processing. Find these legal bases in articles 6 and article 9 of the GDPR regulation. Fairness and transparency ensure that the data subjects know how their data is being processed.
Purpose limitation: Your organization should only process personal data for explicit, legitimate purposes. Make sure that you inform the data subject about this purpose. And that the subject also understands the purpose.
Data minimization: Collect only data that is necessary for the stated purposes. You should regularly review whether the data processed is still needed for the intended purpose. If this isn't the case; delete any unnecessary data to minimize risk to the data subjects.
Accuracy: The data must be accurate and kept up to date. Make sure that you delete any irrelevant data.
Storage limitation: Personal data should only be accessible for the duration necessary. So ask yourself, do I still need this for the processing purpose? Delete or anonymize data beyond this scope.
Integrity and confidentiality: Put in place strong security measures in your organization. Do this to prevent unauthorized access to personal data. This includes both technical and organizational measures.
Accountability: Your organization must be able to demonstrate compliance. This should prove the above six principles and the handling of personal data.
These seven principles help provide an essential insight into what GDPR is. And show what the rationale behind the regulation is. Although updates to legislation and guidelines are ongoing, these principles remain steadfast. And the legislation's purpose is to guide you on how to adhere to these principles.
Does GDPR Apply To Me?
The straightforward answer is "yes". GDPR applies to your business if you process personal data of EU citizens.
The location of your business does not matter in this context. What counts is the people whose data you are processing. This could for instance include customers or employees.
This means that any business with an office in the EU is covered by GDPR and must follow the regulations. It is very likely that as a business owner, you have employees who are EU citizens. Or that your customers are located in the same country as your business.
For businesses located outside of the EU, it's still crucial to pay attention to GDPR. Consider the following scenarios. Does your business offer services that can be used by EU citizens? Do you conduct marketing campaigns targeted at EU citizens? Do you have a website that communicates in a language spoken in EU countries (except English)? Do you have a branch in the EU, or employees who are EU citizens? There are numerous situations where GDPR becomes relevant. This also applies even if your business is not physically located in the EU.
GDPR sets the same standards for all businesses. This means that a small hair salon must meet the same compliance requirements as a large IT company. This includes the same documentation and adherence to regulations. But, you will often find that the complexity of GDPR compliance work varies depending on the type of business. This can be related to the size of the business, the services offered, and how digitized the business is.
It's not a mistake to go above and beyond in your compliance work. The more you do to follow the seven GDPR principles, the better you secure your personal data. Which is in the interest of the individuals whose information you process.
Furthermore, you will find that the scope of your documentation task varies based on different factors:
Public Institutions: These have specific rules and guidance to follow.
Large Volume of Data: If your business handles large amounts of data. In this case, the documentation requirements will increase.
Sensitive Data: If you process sensitive information such as health data or union membership. There are stricter requirements for the legality of the processing. Furthermore, you have to look at extra security measures that must be taken.
Numerous Suppliers: If you work with many different systems and subcontractors to provide your service. Then your data mapping becomes more complicated.
Different Roles: When it comes to data processing, there are typically two main roles. Data controller and data processor. All companies will be data controllers. But some will also act as data processors, such as those providing IT systems to their customers. This requires documentation from multiple perspectives and makes the compliance work more complex.
These factors determine how in-depth your documentation needs to be. Certain GDPR tasks are only relevant for specific types of businesses, while others are universal. The following checklist includes 10 GDPR compliance activities that have been key to address in 2023.
GDPR Compliance Checklist For All Businesses
To ensure your business is GDPR compliant, there are various activities and documentation tasks to be addressed. Crafting a comprehensive checklist is challenging. Because the tasks differ from one business to another.
There are fundamental activities that all companies must perform. And then there are specific activities tied to areas within your business's scope of operations. You only need to address these if they are pertinent to your business.
In this article, we delve into some GDPR compliance activities that have been particularly pertinent in 2023. We have identified these due to cases of fines or warnings. But also due to changes in the global landscape, both technologically and legally. Each point will be explained in a way that allows you to assess whether it is relevant to your business. Ask yourself if you already are compliant, or whether you need to devise a plan to achieve compliance.
Know your data
Understanding how your organization processes personal data has always been crucial. And for that reason, this point is also included in the checklist. Knowing your data and maintaining an overview is fundamental. Also when it comes to carrying out the remaining tasks on the list.
A concrete method to "know your data" and gain an overview is through data mapping. This involves a thorough review of the internal processing of personal data within your organization. This internal data mapping is then augmented with and linked to your data flow mapping. Your data flow mapping outlines whom you share data with.
As compliance requirements continue to grow and evolve, so does the need to understand your data. Increased compliance demands also add to the complexity of your data mapping. It is more helpful to start early and expand your data map continuously. Instead of beginning later when there are even more complex regulations to consider.
Have you reviewed and updated your data map in 2023? Have you maintained it and kept it current? And had a look at any changes in your business and updated compliance requirements?
Appoint a Data Protection Officer (DPO)
Does your business use a Data Protection Officer (DPO) or a person responsible for data protection? Not all companies are required to appoint a DPO, but it can be beneficial to do so even for those that are not obligated.
Even if a DPO is not mandatory, it is advantageous to designate one or more individuals responsible for personal data. With the volume of existing and incoming compliance requirements, the responsibility is crucial. You need someone who can oversee and plan how your company meets GDPR requirements.
GDPR compliance is not the achievement of a single person. It's a collective responsibility across the company. Knowledge about why we protect personal data must be rooted in every employee. Without a "captain" to set the course, it can be challenging. Someone needs to embed this understanding into the organization's culture. Moreover, it is necessary to have someone lead the way. So, you ensure that documentation is kept current and up to date with legal changes.
Further reading: What is a GDPR Data Protection Officer (DPO) and do I need one?
Have You Considered the Use of AI?
Artificial Intelligence (AI) has been one of the major topics of conversation in 2023. A frequently mentioned AI model is ChatGPT, a generative AI model. This means it's text-based and capable of generating textual or visual outputs.
The output is obtained through a prompt, a text message where you describe what you want the AI to produce.
The possibilities that AI has opened up - and will continue to open up - are undoubtedly exciting. For many businesses, AI will become an efficient tool in their daily operations. When entering text into an AI model. This text could potentially contain personally identifiable information. And because of that, it's essential to consider GDPR implications.
For instance, the Danish Data Protection Authority has already issued guidelines on the use of AI by public authorities. In general, it would be beneficial for you and your company to develop a kind of policy in this area. This doesn't mean that AI models should be banned at work. However there should be a policy that employees can be trained on, making them aware of the kinds of information that should not be shared with AI.
Evaluate the Use of Personal Data, Risk, Security Measures
Compliance is a risk-based approach. It's critical to perform risk assessments for all the processes identified in your data mapping. In this way, you can address potential threats that could materialize.
This point is included in the checklist - due to several decisions and reprimands over the past year. They have in common the absence of security measures which was a notable issue. A lack of security measures increases the risk of incidents. Examples of incidents could be cyber-attacks or unauthorized access to personal data.
Risk assessments and the implementation of security measures are interlinked. An example from one of the Data Protection Authority's decisions highlighted that insufficient control over broad access to personal data raises the risk of unauthorized access.
Have you implemented adequate security measures to reduce risk in your organization? Conducting risk assessments is the first step in gaining a comprehensive overview.
For more information on how to perform a GDPR risk assessment, you can read this article.
The Data Protection Authority in Denmark has released a guide to security measures: View it here.
Procedure for Data Breaches
This section naturally extends from the previous one. It's emphasizing the importance of having a defined procedure in case of a data breach.
In such an event, it's a testament to how well you manage your procedures and GDPR documentation. According to Article 33 of the GDPR, both data controllers and processors are obligated to report a data breach. This needs to be done within 72 hours of becoming aware of it.
As a data processor, you must report the breach to the data controller. The controller is to whom you process data. It is their responsibility to report further to the appropriate authorities.
If you're a data controller, you must report directly to your local supervisory authority. Such as the Data Protection Authority in Denmark. The report should include details such as who is affected, and which personal data are involved. Hence, your data mapping is critical as it enables you to quickly obtain an overview.
Failing to submit a breach report within the allocated time may make you appear non-compliant. Therefore, do you have a procedure in place to act swiftly in the unfortunate event of a data breach?
Transparency in Your Data Collection
It's vital for your company to be open and transparent about personal data processing activities. This is also known as the duty to inform. Any company that processes personal data of EU citizens must follow this.
Are Your Data Processors Covered by the Data Privacy Framework?
If you use data processors in the USA? It's beneficial to familiarize yourself with the Data Privacy Framework. This has been one of the significant developments of 2023. The USA has been considered an unsafe third country regarding personal data protection. Which made it necessary to have additional security measures for transfers to companies based in the USA.
This involved the use of an approved transfer basis, such as "standard contractual clauses" (SCCs). And a "Transfer Impact Assessment" (TIA) for the receiving company.
Now, if the company to which you are transferring data is registered under the Data Privacy Framework, you can refer to this registration. It simplifies the documentation process for data transfers to the USA. Look up registred companies here.
A Company certified under the Data Privacy Framework commits to fulfilling several data protection obligations. This becomes your security assurance for the data transfer. A list of certified companies can be found here.
If you transfer data to the USA. Then look up if your data processors are certified under the Data Privacy Framework. If so, it would be prudent to update your existing data processing agreements with this information.
Do You Have a Plan and Do You Monitor Your Suppliers?
It's critical that you not only meet the various compliance requirements relevant to your business. But also ensure that the chain remains intact when you outsource data processing.
For example, your IT provider who processes personal data on your behalf. Typically because they deliver an IT service to you.
Thus, compliance does not stop within the walls of your company. You must also ensure that you monitor the data security practices of your data processors. As compliance requirements for you increase, so do the same expectations for your suppliers. For instance, do they manage their data transfers to companies in the USA properly?
So, it's recommended to maintain ongoing oversight of your data processors. By doing so, you can verify that they process personal data by your agreements. Have you monitored your data processors in 2023?
Does Your Business Need to Be NIS2 Compliant?
Although NIS2 is not directly related to GDPR compliance, there are many parallels. And that is why it is a good idea to include NIS2 in your documentation efforts. If you fall under the NIS2 Directive.
The NIS2 Directive, where adopted in December 2022. It gives businesses until October 2024 to put in place the security measures stated by the directive. This makes NIS2 highly relevant in 2023 and will likely continue to be so in 2024.
GDPR focuses on personal data processing. The NIS2 Directive has a broader scope targeting security in critical societal sectors. This means you need to have an overview of your critical assets. Conduct risk assessments for these. And implement a control and task structure to support your NIS2 activities. This is much like your tasks for GDPR compliance.
You might be able to repurpose parts of your GDPR documentation for NIS2. For example, if you have mapped your systems and processing activities for GDPR, this mapping could be expanded for NIS2.
Are you subject to the NIS2 Directive, and if so, have you already started implementing the necessary security measures?
Starting January 1, 2024, .legal will introduce a new ISMS module for Privacy, which includes features that can assist you with your NIS2 tasks, both in terms of implementation and operation. Learn more about the module here.
GDPR Compliance in Marketing Activities
Marketing is an activity that most businesses engage in. It has always been essential to consider how personal data is processed in this context. Today's marketing is heavily data-driven. Especially in direct marketing, which is a frequently used strategy.
To conduct direct marketing, the data you base it on will often fall under GDPR. Here you use personal data to identify individuals. Because you want to target your campaign directly to them.
So, it's crucial to consider how you process personal data in relation to your marketing activities. This has been a focus in 2023, with the Data Protection Authority releasing guidance on direct marketing.
This guidance can be used in planning your marketing activities. And to ensure GDPR considerations are included from the beginning.
Do you have control over how you process personal data in your marketing activities?
Are you looking for an overview of your GDPR tasks? Try .legal’s GDPR Compliance Tool For Free!
How to be GDPR Compliant on Websites
Your website serves as your company’s showcase, and it’s vital to ensure that it is GDPR compliant. This applies regardless of the website's complexity and functionality. Here are key tasks that need to be performed annually to maintain compliance:
- Check for legislative changes and assess the need to update the data processing your policy addresses. This includes purposes, legal basis, deletion deadlines, what data is processed and on whom. As well as data transfers to third countries. Your data mapping becomes a valuable tool in this context.
Planning these activities in a GDPR annual calendar is advisable to ensure they are carried out regularly. And to document that these activities are being addressed.
Why Use GDPR Compliance Software?
As outlined in this article, there are various aspects to manage in relation to GDPR compliance. Some activities are ongoing throughout the year, while others arise from current cases.
Keeping track of all the activities associated with being GDPR compliant can be challenging. GDPR compliance software can be a significant aid in this regard. Many companies begin their compliance documentation with tools like Excel. But they quickly outgrow these more static formats.
You can also read our comparison: GDPR documentation in Excel vs. GDPR platform
And for more details: Do I really need GDPR Compliance Software?
GDPR compliance software can assist you by automating processes and creating an overview. Some examples could be:
Challenges in collaborating on GDPR documentation tasks.
Lack of a consolidated overview where all GDPR documentation is stored.
Difficulty in identifying gaps in documentation and progress.
Challenges in comprehending various legal rules.
Need for guidance and examples to ensure correct compliance handling.
Remember to update existing documentation.
Staying informed about changes in GDPR legislation and its impact on documentation.
These are just a few examples of the issues that GDPR compliance software, like Privacy from .legal, can address. A platform like Privacy guides you through your documentation tasks. It provides overviews and reports, and highlights areas of deficiency. It can create tasks to help keep your documentation up to date. Unlike tools like Excel, GDPR compliance software is designed for this purpose.
Features include modules designed for GDPR work, such as:
Policies and procedures.