The Ultimate GDPR Checklist

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 2 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design and improve your systems to meet the GDPR is not straightforward. Due to the complexity of the GDPR document a lot of help is available. But be warned: Some tools that claim to help you will increase your privacy compliance problems instead of solving these.

It is very seductive to use (free) GDPR or privacy checklists. A lot of new privacy checklists with nice visuals exist nowadays. But in reality almost all privacy checklist are of very little value. So instead of investing your time in performing a checklist before starting with your privacy by design challenge you should perform a good Privacy Impact Assessment (PIA).

A Privacy Impact Assessment (PIA) is a process which helps an organisation to identify and reduce the privacy risks of a project. A PIA should be used throughout the development and implementation of a project. Perform a PIA seems simple: Many Privacy Impact Assessment (PIA) tools exist. In the GDPR a PIA is called: Data protection impact assessment (DPIA).

To avoid confusion: It is NOT mandatory for all organisations to perform a (D)PIA. But since performing a (D)PIA is especially for small organisations simple and takes little time, all organisations are advised to perform a PIA. At least when you take the protection of data of your customers serious.

Almost all (D)PIA questionary tools are simple and are good aids to identify and mitigate privacy risks. The outcome of a PIA is input for creating your privacy architecture and design. A PIA is focused on simple questions:
  • What personally identifiable information  is collected?
  • Why is this personally identifiable information is being collected? Is is really needed and legal?
  • How is the personally identifiable information collected, used, accessed, shared, safeguarded and stored?

But due to the complexity of IT systems and all integrations with other companies, the answers on these questions are often not so simple.

A good and safe way to perform a PIA is to use a questionary  or tools developed by your central government. This because all governments stimulate companies and (local)governmental organizations to be compliant with the GDPR (for EU countries) or country or industry specific regulations. Using a governmental created PIA tool also gives less discussion with your privacy supervisory authority.

A number of good Privacy Impact Assessment (PIA) tools can be found here:

  • US: PIA created The Department of Homeland Security.
  • UK: PIA tool created by the UK ICO , the UK’s independent body to uphold information rights.
  • NZ: PIA toolkit of the Privacy Commissioner’s Office.
  • AU:PIA template of the Office of the Victorian Information Commissioner
  • CA: PIA toolkit of The Privacy Commissioner of Canada

To make sure you use a good PIA tool, use the PIA toolkit as offered or recommended by your government and/or perform an industry specific PIA if required by law. A range of PIA guidance documents have been published by many consultancy companies who see new business for GDPR consultancy. However be aware that these documents vary considerably in quality. So best is to use the PIA and guidance documents as offered by your government.

Performing a PIA is serious work that should not be underestimated. The security of private data depends on it.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!