It seems that every website pertaining to be the front for a GDPR service has some sort of instant checklist.
Many of which are not as comprehensive as the one the ICO provides on their website.
At best, they provide a high-level view on where a business might be in relation to GDPR.
Is this useful?
If you are just starting your GDPR journey then arguably yes.
If you are looking for the silver bullet, ‘what do I really need to do to become compliant’ then probably not.
GDPR isn’t something you can solve with a checklist
The problem here is that the GDPR can be complicated to start with, and becomes more complicated the more data you have and the larger your organisation.
Consider just one question:
Do you know where all your data is?
Let’s make it easier:
Do you know where all your data is, specifically personal data?
Unless you are a very small business, there is a high likelihood that the answer to this is NO.
However, you might know where some of it is, or indeed most of it, you might also know where it all ought to be – so what’s the real answer for the checklist?
The Data Question
The data question above is a fundamental one for the GDPR; you must know where it all is to control it properly.
Data Storage and Processing
Let us assume you do know where all your data is, ask yourself this:
Do I have the appropriate consent, legitimate interest, or lawfulness of processing to collect and process this data?
Is this unlikely to be a simple yes or no answer?
This is a simple illustration as to why a checklist is of limited value.
What isn’t on any checklist?
So here are some GDPR questions you are unlikely to find on any ‘silver bullet’ checklist.
- Does your HR Department need to keep all that personal data they collected when they hired someone?
- Has the facilities department registered their use of CCTV with the ICO?
- Does my company send sensitive information to any 3rd parties?
- Is my IT outsourced and if so what can they access?
- Does my accounts department realise sole traders are almost certainly covered under GDPR?
- Do your employees know their rights under GDPR?
- Do your executives realise they could be personally liable under GDPR? *
- Can your employees or 3rd parties access personal data outside the EEA?
* “Elizabeth Denham, made a recommendation at an appearance before the House of Commons Public Bill Committee that company directors should be held personally liable for data breaches by their companies.”
Conclusion
- A checklist won’t make you compliant with GDPR
- It might give you a false sense of security
Of course, some checklists are better than others.
Find a checklist that asks the difficult questions, or even better find a professional who can ask all the questions including the difficult ones and best of all find someone who can help you find the answers.
If you would like to know more about how GDPR Auditing can help your organisation with GDPR please email us at info@gdprauditing.com or email the author philip.mather@gdprauditing.com.
© GDPR Auditing 2017
The information provided in this post is for general information only and is not intended to provide legal advice.