What is GDPR?
The General Data Protection Regulation (GDPR) requests more prominent responsibility and straightforwardness from associations about how they gather, process and store individual data.
A few commitments can be settled fast and effectively. Others, especially in vast or complex associations, could have huge budgetary, IT, staff, administration and interchanges suggestions and could require a lot of work or particular aptitude.
The key steps to take GDPR compliance
This checklist highlights the essential steps you need to take to prepare for the GDPR and demonstrate compliance.
1) Build up a responsibility and administration system
- Brief management on the GDPR risks and benefits.
- Gain management support for a GDPR compliance project.
- Assign a director with accountability for the GDPR.
- Incorporate data protection risk into the corporate risk management and internal control framework.
2) Scope and plan your project
- Appoint and train a project manager, and appoint a DPO if necessary.
- Identify which entities will be in scope: business units, territories, jurisdictions.
- Identify other standards or managements systems that could provide a framework for compliance, e.g. implementing ISO 27001 demonstrates information security best practice.
- Assess the principle of data protection by design and by default against current or new processes and systems.
- Consider Brexit implications in your planning.
3) Conduct a data inventory and data flow audit
- Survey the classes of information held, where it originates from and the legitimate reason for your preparing.
- Guide information streams into, inside and from your association.
- Utilize the information guide to recognize the risk in your information handling exercises and whether data protection impact assessment (DPIA) is required.
4) Conduct a detailed gap analysis
- Audit your current compliance position against the requirements of the GDPR.
- Identify compliance gaps requiring remediation.
5) Develop operational policies, procedures and processes
- Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis.
- Bring data protection policies and privacy notices in line with the GDPR.
- Where relying on consent, ensure quality of consent meets new requirements.
- Review and update employee, customer and supplier contracts.
- Plan how to recognise and handle data access requests and provide responses within a month.
- Have in place a process for determining whether a DPIA is required.
- Secure personal data through appropriate procedural and technical measures.
- Ensure policies and procedures are in place to detect, report and investigate a personal data breach.
- Review whether the mechanisms for data transfers outside the EU are compliant.
- A GDPR is a business change project – effective internal communications with stakeholders and staff is key.
- Employees need to understand the importance of data protection and be trained on the basic principles of the GDPR and the procedures being implemented for compliance.
7) Monitor and audit compliance
- Schedule regular audits of data processing activities and security controls.
- Keep records of personal data processing up to date.
- Undertake DPIAs where required.