1. Obtain board-level support and put accountability measures in place
GDPR compliance demands board-level support. Therefore, it is essential that the board understands the implications of the Regulation so resources needed to achieve and maintain compliance are made available.
- Advise the board about data protection risks and benefits that GDPR compliance will deliver
- Secure management support for your GDPR compliance project.
- Assign ownership of GDPR compliance to a director for the purposes of accountability.
2. Plan your GDPR compliance project and its scope
Once you have obtained C-level support, it is time to understand which areas of your organisation are in scope for your GDPR project.
- Appoint a project manager/owner. This person must be suitably trained.
- Appoint a DPO (data protection officer) if necessary or a responsible person. If you’re unsure about whether or how to appoint a DPO, contact us and we’ll talk you through the requirements.
- Identify standards that could provide a framework to help you with your compliance priorities:
- The international information data security standard ISO 27001 will help you apply best practice for your data security project. This will help you deliver technical and organisational security measures of the GDPR (Article 32).
- Other standards such as ISO 27701, which provides the specifications for implementing a privacy information management system can be used.
- Assess whether data protection by design and by default has been incorporated into processes and systems.
3. Conduct a data inventory and data flow audit
To comply with the GDPR’s data processing requirements you must be able to fully understand what data you have and why you process it.
- Understand the categories of data you hold, where it comes from and your lawful basis for processing.
- You will need to create a data asset register and a data flow map that shows how data flows to, through and from your organisation.
- Use your data flow map to identify risks in your data processing activities and determine whether a DPIA (data protection impact assessment) is needed.
- Create records of personal data processing activities, as required by Article 30.
4. Undertake a comprehensive risk assessment
Risk assessments are a vital component of your GDPR compliance plan. The GDPR encourages a risk-based approach to data processing. This enables your organisation to develop suitable measures to manage your risks. However, the Regulation does not clarify how you should assess and quantify such risks.
- Establish the risk assessment plan.
- Identify your risks. Build a risk register to help monitor your risks.
- Analyse and evaluate your risks.
- Develop methods to control your risks. Record this on the risk register.
5. Carry out a detailed gap analysis
Conducting a GDPR gap analysis will help you assess your current workflows, processes and procedures. This should help you identify any compliance gaps that you need to be rectified.
- Audit your current compliance posture against the GDPR’s requirements.
- Determine which compliance gaps require attention and determine their urgency.
6. Develop operational policies, procedures and processes
Now that you understand your gaps, it is time to close them by bringing your existing policies, processes and procedures into line with the GDPR’s requirements, and develop new ones to ensure you fulfil your legal obligations.
- Your data protection policies and privacy notices must comply with the GDPR.
- Where you rely on consent as your lawful basis for processing, ensure it meets the GDPR’s requirements and is clearly recorded.
- Review employee, customer and supplier contracts. They will need to be updated to cover personal data processing.
- Set out a DSAR plan (data subject access requests). Understand how you will provide responses within the required time.
- Develop a DPIA policy and procedure.
7. Secure personal data through process based and technical measures
Article 32 of the GDPR requires organisations to implement “appropriate technical and organisational measures”. This is to ensure that personal data is processed appropriately.
- You will need to put an information security policy in place. We can write one for you if you don’t have one.
- Implement basic technical controls. The Cyber Essentials framework can be very useful in guiding you as to what should be done.
- Use encryption and/or pseudonymisation as appropriate.
- Ensure policies and procedures are in place to detect, report and investigate personal data breaches. This includes staff awareness training.
8. Ensure teams are trained and understand the rules
Staff awareness and education is a key component of any organisation’s GDPR compliance framework. Everyone involved in processing data must be appropriately trained to follow approved processes and procedures.
- Ensure internal communications with stakeholders and staff actually work.
- Train your employees to understand the importance of data protection. Key to this are GDPR principles and the procedures you have implemented around these principles.
9. Continually monitor and audit your compliance
GDPR compliance is an ongoing project. You should consider it as a journey rather than a destination. Periodic internal audits should be planned and undertaken with regular updates of your data protection processes. This includes checking your records of processing activities and consent, testing information security controls, and conducting DPIAs.
- Schedule regular audits of data processing activities and security controls.
- Keep records of personal data processing and make sure they are kept up to date.
- Undertake DPIAs where required.
- Assess data protection practices and manage some of the more demanding elements of GDPR compliance.