Compliance with the General Data Protection Regulation (GDPR) is an information security governance issue as well as a legal issue. With this in mind, organisations may benefit from an approach that covers the legal, technical and operational aspects at the same time to allow for a smooth transition to GDPR compliance. The following steps show how this can be rolled out in practice.
Step 1: Get management engagement
Becoming GDPR compliant could involve a significant commitment and culture change for your organisation. It is important that top levels of management know this and you discuss strategy with them at the start of the project.
Step 2: Raise awareness
Training for those involved in data processing in your organisation is a key part of GDPR compliance. Cover GDPR standards generally and the practical impact GDPR will have on the organisation.
Step 3: Appoint GDPR resource
Check if your organisation needs a Data Protection Officer as soon as possible. This can be an external or internal appointment. Also, set up a core internal or external GDPR team representing key operational business areas to manage the compliance project.
Step 4: Carry out a data audit
Mapping the data flows in and out your organisation will give you a useful insight into relevant data protection issues and form the basis for the project.
Step 5: Identify the gaps and make a plan
Using the output for the data audit, identify areas of non-compliance and prepare a Treatment Plan together with implementation timescales.
Step 6: Communicate the Treatment Plan
Explain the plan and timescales to key personnel in the organisation so they can allocate resources for successful implementation.
Step 7: Implement the plan
Implement your Treatment Plan, for example reviewing and updating privacy notices, reviewing organisational and technical measures, and updating outsourcing arrangements and data sharing processes.
Step 8: Stay compliant
Once the GDPR requirements have been met, you need to put in place an ongoing compliance programme and monitor it. This may include regular training sessions, privacy impact assessments for new products or systems and data audits.
This guidance is based on our understanding of current law and practice, which may be subject to future change. It is intended to give general guidance only and does not constitute any form of legal advice or recommendation. You should take professional advice before acting on the material contained in this guidance.