The GDPR is imminent – Are you ready?

The EU General Data Protection Regulation (GDPR) compliance deadline is just one day away, so now is the ideal time to review your compliance steps and look at what else you need to do.

Key GDPR compliance checks:


Responding to subject access requests (SARs)

Under the GDPR you need to respond to a SAR within one month. Organisations need to have procedures in place that allow them to handle SARs in the given timescales.


Staff awareness and training

An organisation cannot claim to be GDPR-compliant if its staff don’t understand the new Regulation. Staff training is key. In the event that your organisation suffers a breach, your employees need to know what to do, e.g. they need to know that the relevant supervisory authority should be notified within 72 hours.


Privacy policy

A privacy policy is a publicly available document that states how your organisation gathers, processes and manages individuals’ data. Your privacy policy should be as clear and transparent as possible to ensure it can be understood by everybody.


Consent – Have you got it?

The GDPR is built around ensuring organisations have explicit consent to collect and process an individual’s personal data. Organisations need to review how they seek, obtain and record consent, and whether these practices need to made GDPR compliant. The GDPR lists specific requirements for lawful consent requests:

  • Consent – The data subject has given clear consent to the processing of their personal data for one or more specific purposes.
  • Contract – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject before entering into a contract.
  • Legal obligation – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Vital interests – Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Public interest – Processing is necessary for the performances of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Legitimate interest – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.

Learn more about the GDPR with our Certified EU GDPR Foundation Training Course

IT Governance’s one-day Certified EU GDPR Foundation course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for EU organisations of any size.

The course is delivered by an experienced data protection practitioner, and is ideal for managers who are already involved in data protection and individuals who want to get started in the field.

Learn from the experts what your organisation will need to do on our one-day certified EU-GDPR Foundation course.

Reserve your place>>

corporate account

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.