10 steps to GDPR compliance: How prepared are you?

It’s not too late to comply with the GDPR (General Data Protection Regulation). The Regulation might have come into effect last year, but it’s requirements need to be regularly reviewed. As such, it doesn’t matter what your compliance posture was six months or a year ago. All that matters is where you are now. 

Many organisations have been delaying their implementation project until they were sure that it would be worth their time. It’s now been almost twelve months since the GDPR came into force and the results are conclusive. More than 206,000 incidents have been reported to supervisory authorities, and organisations are reaping the benefits of compliance. 

According to the 2019 Data Privacy Benchmark Study, organisations that have met the majority of the GDPR’s requirements were 15% less likely to be breached than organisations that were more than a year away from compliance. When a breach did occur, the damage was smaller for compliant organisations, with an average of 79,000 affected records compared to 212,000. 

Anyone who wants to know where to begin when implementing the GDPR’s requirements should follow our 10-step guide. 

1. Learn what the GDPR is 

If you’re reading this, you’re probably familiar with the GDPR, but don’t believe everything you’ve read. A lot of misinformation has been spread about the Regulation, so it’s important to do your research. 

There are plenty of respectable sources that explain the Regulation’s requirements. For example, we offer information pagesguides and webinars where you can learn about the GDPR for free. 

You might also choose to enrol on a training course to gain a comprehensive understanding of the requirements you need to meet. 

2. Become accountable 

The Regulation includes provisions that promote accountability, so we recommend that you make an inventory of all the personal data you hold and examine it under the following questions: 

  • Why are you holding it? 
  • How did you obtain it? 
  • Why was it originally gathered? 
  • How long will you retain it? 
  • How secure is it, both in terms of encryption and accessibility? 
  • Do you ever share it with third parties, and on what basis might you do so? 

3.  Review personal privacy rights 

Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include: 

  • The right to be informed 
  • The right to rectification 
  • The right to erasure 
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right to access 

Most of these rights are similar to those in previous data protection laws, but there are some significant changes. It’s important to familiarise yourself with those changes and plan accordingly. 

4. Communicate with staff and service users 

You’re not the only one who needs to know about data subjects’ rights. When collecting personal data from staff, clients or service users, you need to inform them of their rights. 

5. Learn about legal grounds 

Organisations need to prove that they have a legal ground to process data. Most organisations use consent by default, but the GDPR toughens the rules for getting and keeping consent. 

There are five other lawful grounds for processing data: 

  • A contract with the individual 
  • Compliance with a legal obligation 
  • Vital interests 
  • A public task 
  • Legitimate interests 

Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately. 

6. Change your consent requests 

There will be times when consent is the most appropriate lawful ground, so you need to know how it must be sought. The GDPR lists specific requirements for lawful consent requests

7. Research child consent policies 

The GDPR states that children cannot give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. The default age at which someone is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16. 

For example, the Republic of Ireland, UK and Spain have set the age at 13, Germany and the Netherlands stuck with 16 and Austria opted for 14. 

Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age. 

8. Appoint a data protection officer 

The GDPR states that a DPO (data protection officer) should oversee an organisation’s data protection strategies and compliance programme. 

Although only certain organisations need to appoint a DPO, the Article 29 Working Party recommends that all organisations appoint one as a matter of good practice. 

9. Plan for data breaches 

One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible. 

10. Adopt a privacy-by-design approach 

Organisations should adopt a privacy-by-design approach to data protection. To do this, they will need to conduct a DPIA (data protection impact assessment) before undertaking new projects or initiatives. 

DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance. 

Want help getting started? 

Now that you know what it takes to comply with the GDPR, it’s time to put that knowledge into practice. That means implementing the requirements and documenting your compliance. 

That sounds like a big task, but it’s a lot simpler with expert guidance such as our GDPR Starter bundle

This bundle contains three essential products to help you document your practices, assess your compliance posture and teach employees about their responsibilities under the Regulation.

Learn more about our GDPR Starter bundle >>

IT Governance GDPR Starter Bundle - All the resources and tools you need to start your GDPR compliance project.

This blog has been updated to reflect industry changes. Originally published 16 October 2017. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.