View the below and check that your company complies accordingly
- Does GDPR apply to me territorially?
It does if you process personal data about EU/UK resident – even if you are based outside of the EU/UK
- Do I process data that GDPR applies to?
If you process data that is capable of identifying an individual (including online presence – IP addresses and cookies) then GDPR applies
- What data do I process and for what purpose?
- Do I process sensitive Data?
Which consist of racial or ethnic origin, political opinions, religious, genetic, sexual orientation etc
- Do I have a GDPR compliant Privacy Notice?
- Have I added my GDPR compliant Privacy Notice to my website?
- Have I send my GPDR compliant Privacy Notice to my subscribers?
GDPR requires you to send your Privacy Notice to your subscribers to confirm how you collect and process their personal data and for what use
- Have I added my Opt In wording to my sign box
This is for if you use a sign up box on your website.
- Have I obtained GDPR compliant consent for electronic marketing communications?
- Have I put in place a system for managing opt outs/ withdrawing of consent?
- Have I put in place GDPR compliant agreements with third parties to whom I transfer personal data to?
- Have I obtained GDPR compliant for processing sensitive data?
Processing sensitive data requires explicit consent – double verification process
- Do I need to appoint a Data Protection Officer?
- Do I need to carry out a Data Protection Impact Assessment?
A DPIA is required when the processing is likely to result in high risk to the rights and freedoms of natural persons
- Have I put in place a system for data breach notification?
A data breach occurs where there is a loss alteration, unauthorised disclosure of or access to personal data AND there is a risk to the rights and freedoms of individuals. In case of a data breach, you must notify the ICO within 72 hours of the breach.
- Is my insurance adequate?
Contact your insurance broker to discuss any increased liability due to GDPR
Do I have a Data Retention Policy in place?
Have I reviewed security of my data?
Do I need to pay for Controller Charge?
If I have employees, have I arranged for data protection training for them?
If I have employees, have I put in place systems for employee subject access requests?