GDPR
Compliance

Schneider Downs Approach to GDPR Compliance

1. Awareness
You should make sure that decision-makers and key people in your organization are aware that regulations are changing. They need to appreciate the impact that these changes are likely to have on your organization. In addition, line-level and larger scale training may be necessary for certain personnel within your organization who handle personal data on a regular basis.

2. Document the Personal Information You Hold
You should document what personal data you hold, where it came from, what you do with it and who you share it with. We use data flow diagrams and business process maps for each of these processes.

3. Communicating Privacy Information
You should review your current privacy policies, procedures, contracts and notices and put a plan in place for making any necessary changes to meet the GDPR deadline.

4. Individuals’ Rights: Right to Be Forgotten, Transfer Data or Correct Data, etc.
You should check your procedures to ensure that they cover all the rights individuals have, including how you would delete any obsolete data (e.g., right to be forgotten), transfer data upon request or correct any incorrect information.

5. Data Subject Access Requests for Data / Information on Data Handling
You should update your procedures and plan how you will handle data extraction requests to meet the 30-day requirement. Data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed and, where that is the case, access to the personal data. They also have the right to inquire about the nature of further processing and treatment of their data while it was in the controller’s possession.

6. Inventory Your Data
Identify all the data subjects for which you process or store sensitive data and determine whether GDPR applies to their country. Document the supervisory authority for each member country and identify the data controller for each process. You need to also determine who the lead supervisory authority will be based on your overall activities.

7. Lawful Basis for Processing Personal Data
You should review your current practices and contracts and identify the lawful basis for your processing activity under the GDPR, document it, and update your privacy notice to explain it.

8. Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consent processes now if they do not meet the GDPR standard.

9. Data Breaches / Incident Response Plan
You should make sure you have an incident response plan in place to detect, report and investigate a personal data breach. The plan needs to be documented and tested.

10. Security of Processing
You should ensure that certain technical safeguards are in place to ensure that risk to personal data is effectively mitigated. Your plan should include techniques such as the pseudonymization and encryption of personal data. Effective controls to not only ensure the ongoing security, but also the confidentiality and availability of personal data must also be in place.

11. Data Protection by Design and Data Protection Impact Assessments
You should familiarize yourself now with the code of practice on Data Protection Impact Assessments as well as the latest guidance from the Article 29 Working Party, and decide how, when or if you need to implement these in your organization.

12. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance model. You need to determine whether you are required to formally designate a Data Protection Officer. If so, this position must report to the highest levels of management.