Data Protection Form: Fill & Download for Free

Can someone share the checklist for GDPR?A checklist is a great tool when you work on GDPR compliance. The GDPR is choosing consumer trust ahead of the business’s interests. From a legal perspective, that fosters the objective that the GDPR creates an accountability and transparency demand (specifically to the consent of the Data Subjects), it appears that to be compliant you need to appoint a DPO.Steps to take:GDPR Preparation ProjectInquire Third Party GDPR Compliance Implementation (if required)Perform gap assessmentGain senior management commitmentInitiate a project with appropriate resources and budgetEstablish document controlGDPR Roles, awareness and trainingConduct communication program to suppliers and other stakeholdersDefine GDPR roles and responsibilitiesIdentify lead Data Protection Supervisory AuthorityRecruit Data Protection Officer (if required)Appoint Data Protection Officer (if required)Conduct GDPR competence and training needs assessmentPerform GDPR related training and familiarisationConduct GDPR and information security awareness trainingGDPR Personal data mappingConduct initial personal data information gathering exercisePerform an audit of personal data by business areaDefine or Amend Data Protection PolicyIdentify a lawful basis for processing personal data in each caseConduct legitimate interest assessments where requiredIdentify record-keeping requirements and proceduresGDPR Privacy policies and noticesDefine personal data retention and protection policyCreate or amend existing privacy noticesReview and amend consent methods and proceduresAddress age-related consent and controls (children)GDPR Rights of the data subjectCreate and implement data subject request proceduresCreate and implement data subject consent formCreate and implement data subject consent withdrawal formCreate and implement parental consent formCreate and implement parental consent withdrawal formStart recording data subject requestsCreate and implement User Deletion Request PolicyGDPR Controllers and processorsUpdate contracts with processors to be GDPR compliantDistribute supplier questionnaires regarding personal data protectionProvide information to controllers for whom we act as a processorUpdate contracts with controllers to be GDPR compliantAddress employee confidentiality requirementsCreate and implement Bring Your Own Device PolicyGDPR Data protection impact assessmentDefine data protection impact assessment processConduct data protection impact assessment trainingPerform initial data protection impact assessmentGDPR International transfersIdentify international transfers of personal dataAssess the legality of existing international transfersPut in place agreements for international transfers of personal data (where required)GDPR Personal data breach managementCreate information security incident management procedureCreate a personal data breach notification procedure (Data Subjects)Create a personal data breach notification procedure (Supervisory Authority)Conduct information security incident management trainingTest incident management and breach notification proceduresCreate a business continuity plan or disaster plan in case of crisisInform the data subjects that were exposed to a data breachGDPR Project closureRepeat gap assessment to identify remaining non-compliant areasRespond to complaints of data privacy breaches, etcAddress any remaining non-compliant areasPerform post-project reviewCheck for example this checklist with relevant steps and documents you might need for your organization: Free GDPR Implementation Planning Gantt Chart in Excel.Whatever you choose to do, make sure this choice needs to be documented as part of the GDPR’s underlining accountability principle (GDPR Article 29).Hope this feedback was helpful! Please UPVOTE if you like this answer.

Edit: I missed “virtual” in the question, but to answer your main question: virtual DPO is basically an external specialist to whom you delegate responsibilities of DPO that I’ve listed below. In my opinion virtual DPO may be a good option for smaller businesses for certain period of time after the enforcement starts, not on a long term basis - after all, you want your DPO to be in control and up to date, so taking a time to train an in house DPO while outsourcing some tasks to remote specialist seems like better option to me. In our case we a have a designated compliance person and legal adviser and it’s really a blessing: they both are on top of things, they are familiar with the product and the eco-system.GDPR requires all data controllers/data processors engaged in economic activities (together: enterprises according to Article 4: Definitions) that operate within EU markets and process data of EU citizens establish a new position of Data Protection Officers.Important: under the GDPR definitions, term “enterprise” includes not only the businesses, but also any “ a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;” - this means that a person engaged in economic activity, even if it’s a small business. It is also expected to adhere to regulation in general, though that person may be exempt from some requirements in relation to appointment of the DPO and data processing records maintenance. I’ll explain it further.Public authorities and agencies also fall under the definition of data controllers\processors.Article 37 requires data controllers\processors to appoint DPO’s in the following cases:Data processing is performed by public authority (except judicial)Main activities of controller\processor require regular monitoring of EU users’ personal data and/or sensitive personal data (Main activities of controller/processor require processing of special types of data subject to extra protection (related to ethnicity, gender, health, bio metric or genetic data etc.) in large volumes EU member states are allowed to establish extra conditions regarding health related, genetic, bio metric data.These are the prerequisites for appointing a DPO for an organization/business/individual that are identified as data controller/processor.So who is DPO and what’s their role?DPO is going to be a main point of contact between the organization at large and equally data subjects and supervising authorities.DPO is responsible for the following tasks:Ensuring that data processing activities are in line with GDPR through monitoring and auditingDeveloping and implementing policies and processes to prevent breaches and improve data protection within organization, measuring the impact and performanceMaintaining all data processing records within the companyTraining of employeesCommunicating with management, authorities and data subjectsReporting the breaches in a manner and within the time frame outlined in GDPR.There are no specific requirements as for the skills/training required for a person to become DPO, but GDPR text states that a person should be knowledgeable and have expertise in data protection law and practices. Staff member of data processor\controller may be a DPO.Besides, data controllers\processors from outside of EU should appoint a representative in one of EU member states where data subjects reside according to Article 27Who may not need DPO?Article 30 of GDPR states that data processors or controllers with less than 250 employees may not be required to maintain data processing records except when:“ the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”Even though organizations that do not fall under exception most likely won’t need a DPO, they still may use preparation to GDPR to their advantage by reviewing data protection practices, identifying the areas where they might need to improve their practices and win more trust both from partners and customers.

GDPR is a European Union’s law on data protection and privacy for individuals within the EU.In a few days, it will update the existing Data Protection Directive enacted in 1995, which was long before widespread internet use when, quite naturally, the way we share and store information has drastically changed since then.The aim of GDPR is to give residents control over their personal data and unify the regulations within the whole Union. As GDPR states: “The protection of natural persons in relation to the processing of personal data is a fundamental right”. And indeed, it is.GDPR gives companies guidelines and limitations, thus offering more clarity as to how they can operate, and the mindset must change from the now popular tick-box compliance to actual understanding and lawful data management.It applies to anyone who processes data of EU residents. Whether you’re an international company or a local business, you must comply with the regulations regarding the collection, storage, and usage of personal information.Compared with the previous directive, there are some important changes in several areas:TerritoryGDPR does not only apply to companies that are based in member countries, every company dealing with the data of EU residents will be subject to GDPR. That means that it applies both to every EU-based company and to international companies that process the data of individuals in the EU.Definition of “personal data”The definition of “personal data” was updated and expanded. GDPR identified the kinds of data companies gather about people, including IP addresses and mobile device identity – these are also seen as personal data now. Any economic, health or cultural information will also be seen as personally identifiable. Apart from that, anything that was previously included in the Data Protection Act as personal data stays this way.PenaltiesData Protection Authorities will have the power to enforce severe penalties for data breach. The biggest fine that can be imposed is 4% of annual global turnover or 20 million Euro (whatever is greater). That will be the penalty for the most serious infringements, such as not having sufficient customer consent for data processing.ConsentTerms and conditions will have to change. Let’s say goodbye to pre-ticked boxes. Not only will the consent have to be explicit, but also the companies will be required to have their terms and conditions written in plain language.AgeThe age barrier for data collection is rising from 13 to 16.ErasureIf any data is not used for its original purpose (defined in the contract), it must be deleted. Any individual is granted the right to erasure, known also by its more catchy name ‘’the right to be forgotten’’.If you want to read more about what GDPR is, I recommend you this article:What is GDPR and how does it affect my business?