GDPR Checklist

April 5, 2018    

By Michael Berberich

As of May 25th, the European Union’s General Data Protection Regulation (GDPR) will take effect, massively changing how the processing of personal data is regulated across Europe and beyond. The GDPR has extraterritorial scope, meaning that any interaction with a citizen of the EU is covered, regardless of where that interaction takes place. This leaves the vast majority of U.S. brands vulnerable, and as such marketers and their legal departments need to be prepared. This checklist, created by the ANA in partnership with Reed Smith, offers a starting point for brands wishing to avoid issues with this sweeping new set of regulations.

• Appoint a data protection officer. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
• Determine your organization’s demonstrable data protection compliance structure. Brands must identify their existing governance structure, including the key stakeholders responsible for compliance and the policies and procedures governing the processing of personal data.
• Understand and record your data processing activities. Build an inventory of who, what, where, when, why and how.
• Determine what security measures you have in place to protect data, and consider what procedures you have to deal with potential data breaches. Having “guardrails” in place to prevent a data breach is essential, but so is having a comprehensive crisis management plan.
• Review your processor due diligence process, and existing agreements with partners. It’s already been proven that brands cannot hide behind their vendor partnerships to avoid penalization. It’s crucial to assess the adequacy of partners’ data protection provisions.
• Identify your cross-border data transfers outside the European Economic Area (EEA). Assess the legal mechanisms in place to govern such transfers.
• Analyze your existing data protection compliance efforts against requirements under the GDPR. It is likely that gaps will need to be filled by updating old efforts or introducing entirely new ones.
• Build a remediation program. Once you have considered your existing compliance framework, identify a set of recommendations for achieving GDPR compliance.
• Implement your remediation program. Aim to embed your compliance program across the various functions of your organization.
• Create a “Data Protection Compliance Pack” to demonstrate accountability. Collate all relevant compliance information and documents in one organized pack to easily maintain and audit your compliance program.

Source

"GDPR Checklist." ANA, 2018.