Contact Us Today!




 


 

E-mail:info@deurainfosec.com

Special Facebook Promotion

Like us on Facebook and get 10% off your next order.

Data Protection / EU GDPR Toolkits

Learn more about Data Protection toolkits.

Steps to GDPR Compliance

General Data Protection Regulation (GDPR) comes into effect in May 25th 2018.

 

GDPR is a concerted effort to bring all of the privacy regulations in Europe under a single umbrella. This will provide for a strong focus to address privacy at organization level. There are those who might think that this is a punitive measure designed to collect fines, but GDPR is an attempt to enforce data governance accountability.

 

1. Establish an accountability and governance framework

The board must understand the implications of the GDPR in order to support the project and allocate the resources required to complete it. A director will also need to be assigned accountability for the GDPR, and data protection risk will need to be incorporated into the corporate risk management and internal control framework.

eBook: EU GDPR – A Pocket Guide is perfect for these first stages.

 

2. Create a project team

A person or team must control this project, and they will need significant understanding of both the business and the GDPR.

Certified EU General Data Protection Regulation Foundation and Practitioner training courses will give your team the knowledge and skills required to implement an effective compliance program and fulfil the data protection officer (DPO) role.

A book GDPR – An Implementation and Compliance Guide is a useful resource for the project team.

 

 

3. Scope and plan the project

Once the GDPR team is aware of the ins and outs of the Regulation, it will need to work out what parts of the business fall within the scope of the GDPR (business units, territories and jurisdictions) and identify which standards and management systems may be affected or could contribute to GDPR compliance, e.g. ISO 27001. Speak to your IT team to find out if there are any projects starting soon that involve personal data, as these will be candidates for privacy by design. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery but also from the inception of the product.

4) Build a data inventory

To assess what measures are needed to align your data processing with the GDPR, you must first identify which categories of data are held, where the data comes from and the lawful basis for processing it. There are special categories of data that entail stricter processing rules, such as getting explicit consent.

5) Conduct a data flow audit

It’s essential to understand the flow of personal data within the business, as well as where it comes from and where it is sent. This will help you to identify risks in data processing activities and where controls are required.

From this, you can decide whether a data protection impact assessment (DPIA) is required to help identify, assess and mitigate or minimize privacy risks with data processing activities. The three primary conditions for a DPIA identified in the GDPR are:

  • Systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
  • Systematic monitoring of a publicly accessible area on a large scale.

 

Data Flow Mapping Tool software allows you to create data flow maps with a simple, easy-to-use interface.

 

6) Conduct a detailed gap analysis

It’s vital to get an understanding of your level of compliance with the GDPR. A gap analysis highlights this as well as offering guidance on the key areas your organization must address. EU GDPR Compliance Gap Assessment Tool is designed to allow organizations to assess their own compliance status, and GDPR Gap Analysis service provides an on-site assessment.

                                             

 

7) Create or improve key policies and processes

According to Article 30 of the GDPR, companies will be required to record personal data processing activities including, but not limited to, the categories of data being processed, the categories of recipients of the data and time limits for keeping the data.

Each business will also need a privacy notice and a data protection policy, and to update or review contracts with employees and suppliers to ensure they are compliant.

Data subject access requests, incident reporting and data breach reporting will all need written processes, too.

The EU GDPR Documentation Toolkit is a complete set of GDPR-compliant templates that are easy to use and customizable. It includes all the processes outlined above as well as other helpful documents such as a data protection officer job description.

 

8) Communications strategy

As your business becomes GDPR compliant, staff needs to understand and follow the new processes and procedures. Training new staff and holding regular refreshers is essential.

9) Monitor, audit and improve

GDPR compliance is a journey not a destination. To demonstrate ongoing compliance you will need to undertake periodic internal audits and updates of your data protection processes. This includes record keeping of processing activities and consent, testing information security controls and conducting DPIAs. Don’t delay until May 2018 to get GDPR-ready, get help (contact us) to do initial gap assessment.

 

Print Print | Sitemap
InfoSec | @ 2018 DISC