Step 1: Get management engagement
Becoming GDPR compliant could involve a significant commitment and culture change for your organisation. It is important that top levels of management know this and you discuss strategy with them at the start of the project.
Step 2: Raise awareness
Training for those involved in data processing in your organisation is a key part of GDPR compliance. Cover GDPR standards generally and the practical impact GDPR will have on the organisation.
Step 3: Appoint GDPR resource
Check if your organisation needs a Data Protection Officer as soon as possible. This can be an external or internal appointment. Also, set up a core internal or external GDPR team representing key operational business areas to manage the compliance project.
Step 4: Carry out a data audit
Mapping the data flows in and out your organisation will give you a useful insight into relevant data protection issues and form the basis for the project.
Step 5: Identify the gaps and make a plan
Using the output for the data audit, identify areas of non-compliance and prepare a Treatment Plan together with implementation timescales.
Step 6: Communicate the Treatment Plan
Explain the plan and timescales to key personnel in the organisation so they can allocate resources for successful implementation.
Step 7: Implement the plan
Implement your Treatment Plan, for example reviewing and updating privacy notices, reviewing organisational and technical measures, and updating outsourcing arrangements and data sharing processes.
Step 8: Stay compliant
Once the GDPR requirements have been met, you need to put in place an ongoing compliance programme and monitor it. This may include regular training sessions, privacy impact assessments for new products or systems and data audits.