Compliance with the EU General Data Protection Regulation (GDPR) should be a priority for all EU organisations, and non-EU organisations that monitor the behaviour or offer goods and services to EU residents.
The GDPR is far more extensive in scope and application than the current Data Protection Act. The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures, and adopt “appropriate technical and organisational measures”, to protect personal data.
If you are only just beginning your GDPR compliance project, you need to first assess your current stance against the requirements. It is unlikely you will be fully compliant by 25 May, but steps can be taken to prove that you are making an effort to comply.
Doing this will clearly establish areas for development, and allow you to plan and prioritise your project effectively.
Assess your current stance against the GDPR
The newly updated EU GDPR Compliance Gap Assessment Tool identifies ten key areas that your organisation should analyse to establish its current stance against the requirements:
- Governance – awareness of the leadership team, management and functional management.
- Risk management – risk to the organisation, as well as risk to data subjects, as a result of a data breach.
- GDPR project – how is your organisation addressing the specific requirements to become compliant? For example, do you have a GDPR project team?
- Data protection officer (DPO) – are you required to appoint a DPO and have these requirements been met?
- Roles and responsibilities – identify roles that are likely to have responsibility under the GDPR and establish appropriate skills, knowledge and training.
- Scope of compliance – identify how much of your organisation is in scope of the privacy compliance framework.
- Process analysis – identify all the controller–processor relationships that involve data processing. This area is likely to form part of a data flow audit in a later stage of your GDPR compliance project.
- Personal information management system (PIMS) – a substantial area that looks at the documentation that enables you to demonstrate GDPR compliance in respect of managing personal data.
- Information security management system (ISMS), Principle 6 and Article 32 – an extensive area that looks at information security and how you are protecting the security of data subjects.
- Rights of data subjects – you need to recognise data subjects’ rights and have procedures and technologies in place to help them exercise those rights.
The tool includes a comprehensive how-to video presented by IT Governance’s founder and executive chairman, Alan Calder, which takes an in-depth look at these ten key areas and gives detailed instructions on how to assess your organisation’s compliance status.
Get started on identifying gaps in your GDPR compliance
The EU GDPR Compliance Gap Assessment Tool helps organisations of all sizes and in all sectors work their way through the ten key areas needed for GDPR compliance.
The tool takes you through a series of questions and establishes your level of compliance with each area. Use this tool to:
- Quickly establish gaps between your current data protection regime and the GDPR;
- Plan and prioritise your GDPR project; and
- Establish areas for development.