Practical steps to GDPR compliance

Compliance with the General Data Protection Regulation (GDPR) is an information security governance issue as well as a legal issue. With this in mind, organisations may benefit from an approach that covers the legal, technical and operational aspects at the same time to allow for a smooth transition to GDPR compliance. The following steps show how this can be rolled out in practice.
 

Step 1: Get management engagement

Becoming GDPR compliant could involve a significant commitment and culture change for your organisation. It is important that top levels of management know this and you discuss strategy with them at the start of the project.

Step 2: Raise awareness

Training for those involved in data processing in your organisation is a key part of GDPR compliance. Cover GDPR standards generally and the practical impact GDPR will have on the organisation.

Step 3: Appoint GDPR resource

Check if your organisation needs a Data Protection Officer as soon as possible. This can be an external or internal appointment. Also, set up a core internal or external GDPR team representing key operational business areas to manage the compliance project.

Step 4: Carry out a data audit

Mapping the data flows in and out your organisation will give you a useful insight into relevant data protection issues and form the basis for the project.

Step 5: Identify the gaps and make a plan

Using the output for the data audit, identify areas of non-compliance and prepare a Treatment Plan together with implementation timescales.

Step 6: Communicate the Treatment Plan

Explain the plan and timescales to key personnel in the organisation so they can allocate resources for successful implementation.

Step 7: Implement the plan

Implement your Treatment Plan, for example reviewing and updating privacy notices, reviewing organisational and technical measures, and updating outsourcing arrangements and data sharing processes.

Step 8: Stay compliant

Once the GDPR requirements have been met, you need to put in place an ongoing compliance programme and monitor it. This may include regular training sessions, privacy impact assessments for new products or systems and data audits.

This guidance is based on our understanding of current law and practice, which may be subject to future change. It is intended to give general guidance only and does not constitute any form of legal advice or recommendation. You should take professional advice before acting on the material contained in this guidance.