Steps to GDPR Compliance
Data Protection Regulation (GDPR) comes into effect in May 25th 2018.
GDPR is a concerted effort to
bring all of the privacy regulations in Europe under a single umbrella. This will provide for a strong focus to address privacy at organization level. There are those who might think that this is a
punitive measure designed to collect fines, but GDPR is an attempt to enforce data governance accountability.
1. Establish an accountability and governance
The board must understand the implications of the GDPR in order to support the project and allocate the resources required
to complete it. A director will also need to be assigned accountability for the GDPR, and data protection risk will need to be incorporated into the corporate risk management and internal control
eBook: EU GDPR – A Pocket Guide is perfect for these first stages.
2. Create a project team
A person or team must control this project, and they will need significant understanding of both the business and the
Certified EU General Data Protection Regulation Foundation and Practitioner training
courses will give your team the knowledge and skills required to implement an effective compliance program and fulfil the data protection officer
A book GDPR – An Implementation and Compliance Guide is a useful resource for the project
3. Scope and plan the project
Once the GDPR team is aware of the ins and outs of the Regulation, it will need to work out what parts of the business fall
within the scope of the GDPR (business units, territories and jurisdictions) and identify which standards and management systems may be affected or could contribute to GDPR compliance, e.g. ISO
27001. Speak to your IT team to find out if there are any projects starting soon that involve personal data, as these will be candidates for privacy by design. The essence of privacy by design is
that privacy in a service or product is taken into account not only at the point of delivery but also from the inception of the product.
4) Build a data inventory
To assess what measures are needed to align your data processing with the GDPR, you must first identify which categories of data are
held, where the data comes from and the lawful basis for processing it. There are special categories of data that entail stricter processing rules, such as getting explicit consent.
5) Conduct a data flow audit
It’s essential to understand the flow of personal data within the business, as well as where it comes from and where it is sent. This
will help you to identify risks in data processing activities and where controls are required.
From this, you can decide whether a data protection impact assessment (DPIA) is required to help identify, assess and mitigate or
minimize privacy risks with data processing activities. The three primary conditions for a DPIA identified in the GDPR are:
- Systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which
decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
- Systematic monitoring of a publicly accessible area on a large scale.
Data Flow Mapping Tool software allows you to create data flow maps with a
simple, easy-to-use interface.
6) Conduct a detailed gap analysis
It’s vital to get an understanding of your level of compliance with the GDPR. A gap analysis highlights this as well as offering
guidance on the key areas your organization must address.
EU GDPR Compliance Gap Assessment Tool is designed to allow
organizations to assess their own compliance status, and GDPR Gap Analysis service provides an on-site
7) Create or improve key policies and processes
According to Article 30 of the GDPR, companies will be required to record personal data processing activities including, but not limited
to, the categories of data being processed, the categories of recipients of the data and time limits for keeping the data.
Each business will also need a privacy notice and a data protection policy, and to update or review contracts with employees and
suppliers to ensure they are compliant.
Data subject access requests, incident reporting and data breach reporting will all need written processes, too.
The EU GDPR Documentation Toolkit is a complete set of GDPR-compliant templates that are easy to use and
customizable. It includes all the processes outlined above as well as other helpful documents such as a data protection officer job description.
8) Communications strategy
As your business becomes GDPR compliant, staff needs to understand and follow the new processes and procedures. Training new staff and
holding regular refreshers is essential.
9) Monitor, audit and improve
GDPR compliance is a journey not a destination. To demonstrate ongoing compliance you will need to undertake periodic internal audits
and updates of your data protection processes. This includes record keeping of processing activities and consent, testing information security controls and conducting DPIAs. Don’t delay until May
2018 to get GDPR-ready, get help (contact us) to do initial gap