Personal Data Protection Policy: Fill & Download for Free

Can someone share the checklist for GDPR?A checklist is a great tool when you work on GDPR compliance. The GDPR is choosing consumer trust ahead of the business’s interests. From a legal perspective, that fosters the objective that the GDPR creates an accountability and transparency demand (specifically to the consent of the Data Subjects), it appears that to be compliant you need to appoint a DPO.Steps to take:GDPR Preparation ProjectInquire Third Party GDPR Compliance Implementation (if required)Perform gap assessmentGain senior management commitmentInitiate a project with appropriate resources and budgetEstablish document controlGDPR Roles, awareness and trainingConduct communication program to suppliers and other stakeholdersDefine GDPR roles and responsibilitiesIdentify lead Data Protection Supervisory AuthorityRecruit Data Protection Officer (if required)Appoint Data Protection Officer (if required)Conduct GDPR competence and training needs assessmentPerform GDPR related training and familiarisationConduct GDPR and information security awareness trainingGDPR Personal data mappingConduct initial personal data information gathering exercisePerform an audit of personal data by business areaDefine or Amend Data Protection PolicyIdentify a lawful basis for processing personal data in each caseConduct legitimate interest assessments where requiredIdentify record-keeping requirements and proceduresGDPR Privacy policies and noticesDefine personal data retention and protection policyCreate or amend existing privacy noticesReview and amend consent methods and proceduresAddress age-related consent and controls (children)GDPR Rights of the data subjectCreate and implement data subject request proceduresCreate and implement data subject consent formCreate and implement data subject consent withdrawal formCreate and implement parental consent formCreate and implement parental consent withdrawal formStart recording data subject requestsCreate and implement User Deletion Request PolicyGDPR Controllers and processorsUpdate contracts with processors to be GDPR compliantDistribute supplier questionnaires regarding personal data protectionProvide information to controllers for whom we act as a processorUpdate contracts with controllers to be GDPR compliantAddress employee confidentiality requirementsCreate and implement Bring Your Own Device PolicyGDPR Data protection impact assessmentDefine data protection impact assessment processConduct data protection impact assessment trainingPerform initial data protection impact assessmentGDPR International transfersIdentify international transfers of personal dataAssess the legality of existing international transfersPut in place agreements for international transfers of personal data (where required)GDPR Personal data breach managementCreate information security incident management procedureCreate a personal data breach notification procedure (Data Subjects)Create a personal data breach notification procedure (Supervisory Authority)Conduct information security incident management trainingTest incident management and breach notification proceduresCreate a business continuity plan or disaster plan in case of crisisInform the data subjects that were exposed to a data breachGDPR Project closureRepeat gap assessment to identify remaining non-compliant areasRespond to complaints of data privacy breaches, etcAddress any remaining non-compliant areasPerform post-project reviewCheck for example this checklist with relevant steps and documents you might need for your organization: Free GDPR Implementation Planning Gantt Chart in Excel.Whatever you choose to do, make sure this choice needs to be documented as part of the GDPR’s underlining accountability principle (GDPR Article 29).Hope this feedback was helpful! Please UPVOTE if you like this answer.

I would like to share two very interesting and borderline creepy incidents that have happened to me over past few months:Yesterday I was in a stationery shop after a long time. We were exploring a lot of new (at least for me) and exciting stuff like paintbrush pens while recalling the good old school days. I suddenly remembered my favourite pen of that time, and I casually asked if they have one of those uniball pens around. In the entire conversation, uniball wouldn’t have been mentioned more than two or three times. There was no digital transaction, I did not search for uniball or pens in general on the web, I did not even buy the pen. There was absolutely no digital trace of this conversation. Or so I thought until this morning when I woke up to these sponsored ads on my facebook::Upon thinking hard, I realised the only way this could happen is my phone picking up the conversation with shop-keeper. While I was talking with the shop-keeper my phone was right in front on the counter. The ONLY possibility is either Facebook or Amazon (I have the echo app on my phone) was listening.My roommates and I love cooking. Once or twice every week we cook something we have never cooked before. So naturally, the topic of what we want to cook next comes up a lot in our discussions. More than once it has happened that Facebook would show me a recommendation for the recipe of a dish we were talking about in the last few days. Now, I don’t want to jump the gun because usually these are pretty popular dishes and one would naturally come across these recipes. But when this happens over and over for a few months, and Facebook shows you specifically what you talked about recently, one starts to wonder. Again like in the previous case, there was no search involved, no other digital footprints.I thought I am just being paranoid but was curious at the same time. So, I posted these incidents on my Facebook, quite ironic I would say given facebook was most likely responsible for them in the first place. But the response confirmed my doubts, a lot of my friends reported having experienced the same thing in over past few months.Coming back the original question I would say personal data collection is something that will most likely be illegal in 20 years. At least, the companies will not be able to use a generic ‘Terms of use’ and ‘Privacy Policy’ to get around with using the personalised data. They will possibly be required to explicitly tell the users WHY they need some specific data and give the control to users about whether they actually want to share it or not. While the European Union is spearheading the movement, it's not too long before others follow suit.And it is already starting to come true:General Data Protection Regulation - Wikipedia2018 reform of EU data protection rulesThe 'Right to Be Forgotten,' Globally? How Google Is Fighting to Limit the Scope of Europe's Privacy Law

Where can I find an easy to understand checklist of things I need to do to make my website GDPR-compliant?Considering that every small, medium and large organization worldwide, that processes Personal Data of EU citizen will have to be compliant with GDPR but getting to grips with GDPR can be challenging.Check out the following extensive Gantt chard with steps and GDPR Policy Templates you need to implement to become GDPR compliant.Free GDPR Preparation Planning GanttGDPR Compliance ChecklistHere is a very easy GDPR-compliance checklist you can go through to work towards GDPR-Readiness:i. Understand What is Personal DataGDPR is all about the personal data and you should understand what is considered as “personal data” under new regulations and what kind of those that you deal with. Chances are that you do collect personal data, even if you are collecting the names and telephone numbers of your customers, you do collect personal data. Also, know how do you collect that data, how do you use them and how do you store them.“Personal Data” (PD) means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Regulation.ii. Check if the people in your database have given consent (from EU)GDPR states that all personal data collected requires proof of consent. “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Direct consent is given for example if you have consent from your customers to collect their personal data for business operations purposes, you cannot send them marketing materials with the same consent.iii. Perform a Data Protection Impact Assessment (DPIA)By performing a DPIA under the GDPR helps an organization to identify, assess and mitigate or minimize privacy risks with data processing activities. They are particularly relevant when a new data processing process, system or technology is being introduced. The DPI register is a spreadsheet (for example Excel template) that keeps track of all the data breaches that have happened and how they were dealt with.iv. Create or update external Privacy Policy and Data Protection PolicyMake sure your website is updated, for example with a Privacy Policy and a Data Protection Policy that is according to the new GDPR directive. Use the definitions from the GDPR, mention the new changes you will make related to and send a notification to the people in your database with a request to continue doing communication.v. Prepare for Access RequestsUnder the GDPR, all citizens will have the right to have insight and access to their personal data. Also to rectify inaccurate data or object to their data being processed or even completely erase any of their personal data you hold. You must be able to process such requests within a prescribed period of time.vi. Create a “Request to Access Personal Data” Button or Page on your WebsiteUnder GDPR, all EU residents will have “Access-request” right over the companies and organizations that collect their personal data. Using that right, they will be able to access their personal data that was collected about them. Having a clear Request solution as well as privacy and data protection policy page on your website will make it easier for you to handle those requests.vii. Explain the changes in the law to your EmployeesMake sure your employees are aware of the changes in the law. Send them a brief memo with topics that are relevant to know. Explain possible responsibilities for employees that came with the introduction of the new GDPR directive regarding compliance. They should be able to notify responsible persons in your organizations in case of data breaches or other violations.viii. Check if Your Suppliers are GDPR-readyContact your suppliers in time to make sure that the suppliers take action to prevent data breaches and other violations. They need to review their policies and contracts to ensure that you will not have any sanctions caused by third-parties and your suppliers.ix. Do I need to appoint a GDPR DPO (Data Protection Officer)?The GDPR is choosing consumer trust ahead of the business’s interests. From a legal perspective, that fosters the objective that the GDPR creates an accountability and transparency demand (specifically to the consent of the Data Subjects), it appears that to be compliant you need to appoint a DPO. However, when carefully reading the GDPR directive, you can conclude it’s not specified when a DPO should be appointed. A soon to be Supervisory Authority will provide us with this answer. This will depend on the data intensity of your company.Article 37 of GDPR document states that companies and organizations need to appoint a Designated Data Protection Officer (DPO) when these conditions are met,(a) The data processing is carried out by a public authority or body. Or(b) The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”You might consider appointing a DPO, just to be sure, but no need to hire one.Also Check out: GDPR Complete Compliance Kit Document TemplatesHope this information is valuable. Please UPVOTE if you like it.Best, Peter