GDPR Compliance – Step by Step Guide

Step 1 – Assign Accountability

  • GDPR is a complex regulation, it needs an individual within the organisation to be accountable for compliance
  • Review the requirements for formally implementing the role of a Data Protection Officer (note this isn’t mandatory under GDPR for all processing scenarios)
  • Ensure that whoever takes accountability has the support of the organisations leadership team

Step 2 – Understand GDPR (Basic Level)

  • Research as much as you can online
  • Review the information on the GDPR Website
  • Review the FAQ’s on our web site

Step 3 – Risk Awareness

  • Ensure that the organisations senior management are aware of GDPR
  • Ensure that they understand the key risks
  • Discuss the financial risk – 4% of last years turnover or up to 20M Euro’s whichever is the greater
  • Discuss the risk to reputation, quote well know examples of how data breaches can result in loss of business and insolvency
  • Discuss the risk to new business opportunities, if you are not compliant you will find it harder to win future business

Step 4 – Complete a Readiness Assessment

  • Discuss the best way to review ‘how ready you are for GDPR’?
  • The best approach for most organisations is to seek professional help
  • Asses how your organisation is prepared in relations to the key Articles and specifically the principles of the GDPR (under Article 5)

Step 5 – Agree The Compliance Framework

  • Review the detailed out from the Readiness Assessment
  • Agree your desired target state (your GDPR compliance framework) to become compliant
  • Focus on preparing for implementing the urgent priorities

Step 6  – Complete an Inventory

  • You need to know where, how, by whom and for how long your personal data is processed
  • Focus on HR information processes to start with, i.e. the first process could be ‘new starter’.
  • Then assess all of your customer processes e.g. ‘entering customer information’ info a CRM solution
  • Then asses all of your supplier processes e.g. ‘setting up a new supplier’ in your invoicing system
  • Don’t forgot other forms of processing such as your website, CCTV, voice recording, location tracking etc.

Step 7 – Detailed Risk Assessment

  • Undertake a full detailed risk assessment of all of your key processes
  • Complete data privacy impact assessments
  • Assign priority activities for risk mitigation

Step 8 – Deliver the Priority Activities

  • These will vary organisation to organisation
  • Ensure your processing has a legal basis
  • Ensure that you can deal with access requests
  • Ensure that you can deal with data breaches (see our DPO as a Service information)
  • Ensure that your web site is compliant
  • Ensure that you have appropriate security in place
  • Ensure that your partners are aware of GDPR
  • Ensure that the data they process on your behalf is safe

Step 9 – Deliver the Medium to Long Term Objectives

  • Get all of the necessary contractual relationships in place (Processing and Model Contracts)
  • Implement all of the required policies and procedures that you require
  • Make changes to the way data privacy is managed, implement privacy by design

Step 10 – Maintain GDPR Compliance

  • Implement an annual compliance plan
  • Carry out frequent assurance review (see our DPO as a Service)
  • Review and update data privacy impact assessments
  • Carry out information security audits (see our Security Services)