If you’re an organization in North America to which the EU General Data Protection Regulation (GDPR) applies, the ability to prove GDPR compliance is critical. A comprehensive and effective privacy compliance framework will develop evidence to support your compliance claims.
This checklist – with recommended solutions – highlights the essential steps you need to take to prepare for the GDPR and demonstrate compliance.
Unsure where to start with GDPR compliance?
If you’re looking for help with your GDPR compliance efforts and aren’t sure where to start, get in touch with our GDPR experts who can advise you on which of our products and services are best suited to your needs.
Speak to an expert
1. Establish an accountability and governance framework
GDPR compliance requires board-level support. It’s therefore essential that the board understands the implications of the Regulation – both positive and negative – so that they can allocate the resources needed to achieve and maintain compliance.
What you need to do
- Brief management on GDPR risks and benefits, and why the GDPR applies to your organization
- Gain management support for a GDPR compliance project
- Assign a director with accountability for the GDPR
- Incorporate data protection risk into the corporate risk management and internal control framework
Try these GDPR solutions for additional support:
2. Scope and plan your GDPR compliance project
Once you have obtained top-level support, you will need to work out what areas of your organization fall under the GDPR’s scope, and consider which existing approaches might be affected or could help your compliance efforts.
What you need to do
- Appoint and train a project manager, and appoint a data protection officer (DPO) if necessary
- Identify which entities will be in scope: business units, territories, jurisdictions
- Identify your organization’s lead supervisory authority in the EU
- Identify other standards or management systems that could provide a framework for compliance, e.g. implementing ISO 27001 demonstrates information security best practice
- Assess the principle of data protection by design and by default against current or new processes and systems
- Consider Brexit implications in your planning
Develop a framework and GDPR compliance plan with these resources:
3. Conduct a data inventory and data flow audit
It's impossible to comply with the GDPR's data processing requirements if you don't fully understand what data you process and how you process it.
What you need to do
- Assess the categories of data held, where it comes from, and the lawful basis for your processing
- Map data flows into, within, and from your organization
- Use the data map to identify the risks in your data processing activities and whether a data protection impact assessment (DPIA) is needed
The following tools can help you improve your data flow mapping:
-
Data Flow Mapping Tool
This Cloud-based software simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes. Integration with Compliance Manager allows you to track your compliance with the GDPR articles.
Shop now
-
GDPR data flow audit
Receive, through an onsite audit, an inventory of the types of personal data collected and processed in your organization, and a data flow map.
Enquire now
4. Conduct a detailed gap analysis
The sensible approach to compliance is to establish what you don’t already do – assess your current workflows, processes and procedures – to identify the gaps that you need to fill.
What you need to do
- Audit your current compliance position against the GDPR’s requirements
- Identify compliance gaps requiring remediation
How we can help you:
-
GDPR Compliance Gap Assessment Tool
This questionnaire-driven tool helps you to make an assessment of your organisation’s compliance position and identify the gaps for remediation.
Shop now
-
GDPR Gap Analysis
Get an on-site assessment of your organization’s privacy management and data protection practices, and a report summarizing compliance gaps and remediation recommendations.
Shop now
5. Develop operational policies, procedures and processes
Our data protection consultants will provide an on-site assessment of your privacy management and data processing practices, and produce a report summarising your compliance gaps and providing remediation recommendations.
What you need to do
- Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis
- Bring data protection policies and privacy notices in line with the GDPR
- Where relying on consent, ensure quality of consent meets new requirements
- Review and update employee, customer, and supplier contracts
- Plan how to recognize and handle data access requests and provide responses within a month
- Have in place a process for determining whether a DPIA is required
- Review whether the mechanisms for data transfers outside the EU are compliant
Solutions to help you improve your policies and procedures:
-
GDPR Toolkit
Demonstrating your GDPR compliance is essential. Our GDPR Documentation Toolkit gives you a complete set of easily customizable GDPR-compliant documentation templates, to help you demonstrate your compliance with the GDPR's requirements.
Shop now
-
GDPR Manager
The Gap Analysis module gives you instant visibility of your current compliance status, allowing you to easily identify the actions you need to take to protect your personal data in compliance with the GDPR and in conformance to BS 10012:2017
Shop now
6. Secure personal data through procedural and technical measures
The GDPR requires organizations to implement “appropriate technical and organizational measures” to ensure that personal data is processed appropriately.
What you need to do
- Have an information security policy
- Put in place basic technical controls such as those specified by established frameworks such as Cyber Essentials
- Use encryption and/or pseudonymization where appropriate
- Ensure policies and procedures are in place to detect, report, and investigate a personal data breach
Solutions for improving data security measures:
-
The UK Cyber Essentials Scheme
Cyber Essentials is a world-leading, cost-effective assurance mechanism for companies to demonstrate their use of important basic cyber security controls when operating in the UK.
Find out more
-
Penetration testing
Undertake a security assessment of your websites and IT systems to ensure there is adequate protection against cyber attacks.
Find out more
7. Communications
Maintaining your compliance with the GDPR relies heavily on your staff properly understanding what they should do and why. Everyone involved in processing data must be appropriately trained to follow approved processes and procedures.
What you need to do
- A GDPR project is a business change venture – effective internal communications with stakeholders and staff is key
- Employees need to understand the importance of data protection and be trained on the basic principles of the GDPR and the procedures being implemented for compliance
Solutions for improving data security measures:
8. Monitor and audit compliance
GDPR compliance is an ongoing project – a journey rather than a destination. You should undertake periodic internal audits and update your data protection processes, including checking your records of processing activities and consent, testing information security controls, and conducting DPIAs.
What you need to do
- Schedule regular audits of data processing activities and security controls
- Keep records of personal data processing up to date
- Undertake DPIAs where required