The GDPR compliance checklist

The principle of accountability is key to compliance with the EU GDPR (General Data Protection Regulation). Organisations that process personal data must not only comply with the Regulation’s requirements – they must also be able to demonstrate their compliance.

 

1. Establish an accountability and governance framework

  • Brief management on the GDPR-related risks and benefits.
  • Gain management support for your GDPR compliance project.
  • Give a director the responsibility of GDPR accountability.
  • Incorporate data protection risk into the corporate risk management and internal control framework.

Our solutions

  • EU GDPR – A Pocket Guide
    This concise guide is essential reading for anyone wanting an overview of the GDPR and the new compliance obligations for handling personal data.

    Available in:     

    Shop now >>

  • GDPR Ask Us
    Need a quick answer to a GDPR question? Get quick and easy advice on a GDPR topic by email or live chat.

    Shop now >>

 

2. Scope and plan your project

What you need to do

  • Appoint and train a project manager, and appoint a data protection officer (DPO) if required under Article 37, GDPR.
  • Identify which entities will be in scope – business units, territories, jurisdictions.
  • Identify other standards or management systems that could provide a framework for compliance; for instance, implementing ISO 27001 demonstrates information security best practice, compliance with BS 10012 provides a personal information management system which assists in maintaining and improving compliance with data protection legislation.
  • Assess the principle of data protection by design and default against current or new processes and systems.
  • Consider the implications of Brexit in your planning.

Our solutions

 

3. Conduct a data inventory and data flow audit

What you need to do

  • Assess the categories of data held, where it comes from and the lawful basis for your processing.
  • Map data flows into, within and from your organisation.
  • Use the data map to identify the risks in your data processing activities and assess whether a DPIA (data protection impact assessment) is needed.

Our solutions

  • Data Flow Mapping Tool and Compliance Manager
    This Cloud-based software simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organisation processes. Integration with Compliance Manager allows you to track your compliance with the GDPR articles.

    Shop now >>

  • GDPR data flow audit
    Receive, through an onsite audit, an inventory of the types of personal data collected and processed in your organisation, and a data flow map.

    Shop now >>

 

4. Conduct a detailed gap analysis

What you need to do

  • Audit your current compliance position against the requirements of the GDPR.
  • Identify compliance gaps requiring remediation.

Our solutions

  • EU GDPR Compliance Gap Assessment Tool
    This questionnaire-driven tool helps you to assess of your organisation’s compliance position and identify the gaps for remediation.

    Shop now >>

  • GDPR Gap Analysis
    Get an onsite assessment of your organisation’s privacy management and data protection practices, and a report summarising compliance gaps and remediation recommendations.

    Shop now >>

 

5. Develop operational policies, procedures and processes

What you need to do:

  • Create your Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis.
  • Bring data protection policies and privacy notices in line with the GDPR.
  • Where relying on consent, ensure the conditions of that consent meet the new requirements.
  • Review and update employees’, customers’ and supplier contracts.
  • Plan how to recognise and handle data subject access requests (DSARs) and provide responses within a month.
  • Have in place a process for determining if a DPIA is required to be completed.
  • Secure personal data through appropriate organisational and technical measures.
  • Ensure policies and procedures are in place to detect, report and investigate a data breach.
  • Review whether the mechanisms for data transfers to outside the EU are compliant.

Our solutions

 

6. Secure personal data through procedural and technical measures

What you need to do

  • Have an up-to-date information security policy.
  • Put in place basic technical controls such as those specified by established frameworks like Cyber Essentials and ISO 27001.
  • Use encryption and/or pseudonymisation where it is appropriate.
  • Ensure policies and procedures are in place to detect, report and investigate a personal data breach.

Our solutions

  • ISO 27001
    ISO/IEC 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR).

    Shop now >>

  • Incident Response Management Foundation Training Course
    Find out how to effectively manage and respond to a disruptive incident and take appropriate steps to limit the damage of potential information security.

    Shop now >>

  • Penetration testing
    Undertake a security assessment of your websites and IT systems to ensure there is adequate protection against cyber-attacks.

    Shop now >>

 

7. Communications

What you need to do

  • GDPR implementation affects your entire organisation – effective internal communication with stakeholders and staff is key.
  • Employees need to understand the importance of data protection and be trained on the basic GDPR principles and procedures being implemented to achieve compliance.

Our solutions

 

8. Monitor and audit compliance

What you need to do

  • Schedule regular audits of data processing activities and security measures.
  • Keep personal data processing records up to date.
  • Undertake DPIAs where required.
  • Assess data protection practices and manage some of the more arduous elements of GDPR compliance.

Our solutions

  • GDPR Manager
    Enables organisations to manage a range of GDPR elements, such as recording and reporting data breaches, handling subject access requests, and monitoring third party compliance in a single platform.

    Shop now >>

  • Live Online GDPR Consultancy
    Get expert advice on specific GDPR compliance issues whenever and wherever you need it with consultancy support by the hour.

    Shop now >>


Free GDPR resources


Speak to an expert

Please contact our GDPR team for advice and guidance on our products and services

 
This website uses cookies. View our cookie policy