The GDPR (General Data Protection Regulation) has been in effect for almost seven months now, but many organisations still aren’t fully compliant with its requirements, and some are still only just getting started.
That’s obviously not ideal, but the good news is that organisations that are still working towards compliance don’t need to feel as though they’ve left it too late. The even better news is that IT Governance has created a step-by-step guide to show you exactly what you need to do.
- Establish an accountability and governance framework
You must achieve support from management and assign a director who will have accountability for the GDPR. Data protection risk will need to be incorporated into the corporate risk management and internal control framework.
- Scope and plan your project
At this stage, if necessary, a data protection officer (DPO) must be appointed. You should also look at other frameworks that could help you with your compliance project, such as ISO 27001. The principles of data protection by design and by default should be assessed against your current or new processes and systems.
- Conduct a data inventory and data flow audit
You will need to look at the data that your organisation holds, where it comes from and what lawful basis you have for processing it. Mapping the data that flows throughout your organisation will enable you to identify the risks in your data processing activities.
- Conduct a gap analysis
A gap analysis will audit your current compliance position and identify the gaps that require remediation.
- Develop operation policies, procedures and processes
With the information gathered from the data flow audit and gap analysis, you will need to create Article 30 documentation. All data protection policies and privacy notices should be brought in line with the GDPR, and policies and procedures should be put in place to detect, report and investigate a personal data breach.
- Staff awareness
It is vital that your staff are aware of the importance of data protection and understand the basic principles of the GDPR. They should also be aware of the procedures that are being implemented to achieve compliance, as these may affect their role.