Steps to GDPR Compliance
comes into effect in May 25th 2018.
GDPR is a concerted effort to bring all of the privacy regulations in Europe under a single umbrella. This will provide for a strong focus to address privacy at organization level. There are those who might think that this is a punitive measure designed to collect fines, but GDPR is an attempt to enforce data governance accountability.
The board must understand the implications of the GDPR in order to support the project and allocate the resources required to complete it. A director will also need to be assigned accountability for the GDPR, and data protection risk will need to be incorporated into the corporate risk management and internal control framework.
A person or team must control this project, and they will need significant understanding of both the business and the GDPR.
Once the GDPR team is aware of the ins and outs of the Regulation, it will need to work out what parts of the business fall within the scope of the GDPR (business units, territories and jurisdictions) and identify which standards and management systems may be affected or could contribute to GDPR compliance, e.g. ISO 27001. Speak to your IT team to find out if there are any projects starting soon that involve personal data, as these will be candidates for privacy by design. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery but also from the inception of the product.
To assess what measures are needed to align your data processing with the GDPR, you must first identify which categories of data are held, where the data comes from and the lawful basis for processing it. There are special categories of data that entail stricter processing rules, such as getting explicit consent.
It’s essential to understand the flow of personal data within the business, as well as where it comes from and where it is sent. This will help you to identify risks in data processing activities and where controls are required.
From this, you can decide whether a data protection impact assessment (DPIA) is required to help identify, assess and mitigate or minimize privacy risks with data processing activities. The three primary conditions for a DPIA identified in the GDPR are:
It’s vital to get an understanding of your level of compliance with the GDPR. A gap analysis highlights this as well as offering guidance on the key areas your organization must address. is designed to allow organizations to assess their own compliance status, and provides an on-site assessment.
According to Article 30 of the GDPR, companies will be required to record personal data processing activities including, but not limited to, the categories of data being processed, the categories of recipients of the data and time limits for keeping the data.
Each business will also need a privacy notice and a data protection policy, and to update or review contracts with employees and suppliers to ensure they are compliant.
Data subject access requests, incident reporting and data breach reporting will all need written processes, too.
The is a complete set of GDPR-compliant templates that are easy to use and customizable. It includes all the processes outlined above as well as other helpful documents such as a data protection officer job description.
As your business becomes GDPR compliant, staff needs to understand and follow the new processes and procedures. Training new staff and holding regular refreshers is essential.
GDPR compliance is a journey not a destination. To demonstrate ongoing compliance you will need to undertake periodic internal audits and updates of your data protection processes. This includes record keeping of processing activities and consent, testing information security controls and conducting DPIAs. Don’t delay until May 2018 to get GDPR-ready, get help (contact us) to do initial gap assessment.