This checklist covers the essential steps you need to take to demonstrate GDPR compliance
The EU’s GDPR (General Data Protection Regulation) demands greater accountability and transparency from organisations in how they collect, process and store personal data.
Some obligations can be fulfilled relatively simply and quickly. Others, particularly in large or complex organisations, could have significant budgetary, IT, personnel, governance and communication implications – this may require a great deal of work or expertise. Ensuring commitment from senior management and key stakeholders in your organisation will prove critical to ensure a top-down approach and sufficient resources for your compliance project.
The key steps to GDPR compliance
The GDPR states that organisations must be able to demonstrate their compliance with the Regulation; particularly with the six data processing principles. This is also known as the ‘accountability principle’. A comprehensive and effective PCF (privacy compliance framework) will naturally compile evidence to prove compliance.
This checklist with recommended solutions highlights the essential steps you need to take to prepare for the GDPR and demonstrate compliance.
Spend over €250 on any of the below products* and save 15% with the voucher code: GDPR-SAVE15
1. Establish an accountability and governance framework
- Brief management on the GDPR-related risks and benefits.
- Gain management support for your GDPR compliance project.
- Give a director the responsibility of GDPR accountability.
- Incorporate data protection risk into the corporate risk management and internal control framework.
We recommend
Need a quick answer to a GDPR question? Get quick and easy advice on a GDPR topic by email or live chat.
Learn more and buy >>
2. Scope and plan your project
To do:
- Appoint and train a project manager, and appoint a DPO (data protection officer) if necessary.
- Identify which entities will be in scope – business units, territories, jurisdictions.
- Identify other standards or management systems that could provide a framework for compliance; for instance, implementing ISO 27001 demonstrates information security best practice.
- Assess the principle of data protection by design and default against current or new processes and systems.
- Consider the implications of Brexit in your planning.
We recommend
This guide details the requirements of the GDPR and provides practical advice on implementing a compliance framework.
Learn more and buy >>
Gain knowledge of the GDPR, and a practical understanding of the methods and tools for implementing and managing an effective compliance framework.
Learn more and buy >>
DPO as a service is a practical and cost-effective outsource solution for organisations that don’t have the requisite data protection expertise and knowledge to fulfil their data protection officer obligations under the GDPR.
Learn more and buy >>
3. Conduct a data inventory and data flow audit
To do:
- Assess the categories of data held, where it comes from and the lawful basis for your processing.
- Map data flows into, within and from your organisation.
- Use the data map to identify the risks in your data processing activities and assess whether a DPIA (data protection impact assessment) is needed.
We recommend
This Cloud-based software simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organisation processes. Integration with Compliance Manager allows you to track your compliance with the GDPR articles.
Learn more and buy >>
Receive, through an onsite audit, an inventory of the types of personal data collected and processed in your organisation, and a data flow map.
Learn more and buy >>
4. Conduct a detailed gap analysis
To do
- Audit your current compliance position against the requirements of the GDPR.
- Identify compliance gaps requiring remediation.
We recommend
This questionnaire-driven tool helps you to assess of your organisation’s compliance position and identify the gaps for remediation.
Learn more and buy >>
Get an onsite assessment of your organisation’s privacy management and data protection practices, and a report summarising compliance gaps and remediation recommendations.
Learn more and buy >>
5. Develop operational policies, procedures and processes
To do:
- Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis.
- Bring data protection policies and privacy notices in line with the GDPR.
- Where relying on consent, ensure the conditions of that consent meet the new requirements.
- Review and update employees’, customers’ and supplier contracts.
- Plan how to recognise and handle data subject access requests (DSARs) and provide responses within a month.
- Have in place a process for determining whether a DPIA is required.
- Secure personal data through appropriate organisational and technical measures.
- Ensure policies and procedures are in place to detect, report and investigate a data breach.
- Review whether the mechanisms for data transfers outside the EU are compliant.
We recommend
A complete set of easy-to-use and customisable documentation templates, worksheets and policies to document GDPR compliance.
Learn more and buy >>
6. Secure personal data through procedural and technical measures
To do
- Have an information security policy
- Put in place basic technical controls such as those specified by established frameworks like Cyber Essentials
- Use encryption and/or pseudonymisation where it is appropriate
- Ensure policies and procedures are in place to detect, report and investigate a personal data breach
ISO/IEC 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR)
Learn more and buy >>
Find out how to effective manage and respond to a disruptive incident and take appropriate steps to limit the damage of potential information security.
Learn more and buy >>
Undertake a security assessment of your websites and IT systems to ensure there is adequate protection against cyber attacks.
Learn more and buy >>
7. Communications
To do
- GDPR implementation affects your entire organisation – effective internal communication with stakeholders and staff is key.
- Employees need to understand the importance of data protection and be trained on the basic GDPR principles and procedures being implemented to achieve compliance.
We recommend
This simple-to-use interactive modular e-learning programme for employees introduces the GDPR and the key compliance obligations for organisations.
Learn more and buy >>
8. Monitor and audit compliance
To do
- Schedule regular audits of data processing activities and security measures.
- Keep personal data processing records up to date.
- Undertake DPIAs where required.
Free GDPR resources
Don’t forget – use the voucher code GDPR-SAVE15 at checkout and save 15% when you spend over €250 on any of the products above*.
Speak to an expert
Please contact our GDPR team for advice and guidance on our products and services
Call: 00 800 48 484 484
Call: 00 353 (0) 1 518 0150
*Terms and conditions
- This voucher code is applicable from 12 June 2018 to 31 August 2018, inclusive.
- This voucher code cannot be used in conjunction with any other voucher code or promotion.
- This voucher code can be used online or by phoning IT Governance and quoting ‘GDPR-SAVE15’.
- This voucher code can only be used on the specified products.
- This offer can be revoked at IT Governance’s discretion at any time.