Step 1 – Assign Accountability
- GDPR is a complex regulation, it needs an individual within the organisation to be accountable for compliance
- Review the requirements for formally implementing the role of a Data Protection Officer (note this isn’t mandatory under GDPR for all processing scenarios)
- Ensure that whoever takes accountability has the support of the organisations leadership team
Step 2 – Understand GDPR (Basic Level)
- Research as much as you can online
- Review the information on the GDPR Website
- Review the FAQ’s on our web site
Step 3 – Risk Awareness
- Ensure that the organisations senior management are aware of GDPR
- Ensure that they understand the key risks
- Discuss the financial risk – 4% of last years turnover or up to 20M Euro’s whichever is the greater
- Discuss the risk to reputation, quote well know examples of how data breaches can result in loss of business and insolvency
- Discuss the risk to new business opportunities, if you are not compliant you will find it harder to win future business
Step 4 – Complete a Readiness Assessment
- Discuss the best way to review ‘how ready you are for GDPR’?
- The best approach for most organisations is to seek professional help
- Asses how your organisation is prepared in relations to the key Articles and specifically the principles of the GDPR (under Article 5)
Step 5 – Agree The Compliance Framework
- Review the detailed out from the Readiness Assessment
- Agree your desired target state (your GDPR compliance framework) to become compliant
- Focus on preparing for implementing the urgent priorities
Step 6 – Complete an Inventory
- You need to know where, how, by whom and for how long your personal data is processed
- Focus on HR information processes to start with, i.e. the first process could be ‘new starter’.
- Then assess all of your customer processes e.g. ‘entering customer information’ info a CRM solution
- Then asses all of your supplier processes e.g. ‘setting up a new supplier’ in your invoicing system
- Don’t forgot other forms of processing such as your website, CCTV, voice recording, location tracking etc.
Step 7 – Detailed Risk Assessment
- Undertake a full detailed risk assessment of all of your key processes
- Complete data privacy impact assessments
- Assign priority activities for risk mitigation
Step 8 – Deliver the Priority Activities
- These will vary organisation to organisation
- Ensure your processing has a legal basis
- Ensure that you can deal with access requests
- Ensure that you can deal with data breaches (see our DPO as a Service information)
- Ensure that your web site is compliant
- Ensure that you have appropriate security in place
- Ensure that your partners are aware of GDPR
- Ensure that the data they process on your behalf is safe
Step 9 – Deliver the Medium to Long Term Objectives
- Get all of the necessary contractual relationships in place (Processing and Model Contracts)
- Implement all of the required policies and procedures that you require
- Make changes to the way data privacy is managed, implement privacy by design
Step 10 – Maintain GDPR Compliance
- Implement an annual compliance plan
- Carry out frequent assurance review (see our DPO as a Service)
- Review and update data privacy impact assessments
- Carry out information security audits (see our Security Services)