Although the EU General Data Protection Regulation (GDPR) has come into effect, a large number of organisations are not yet compliant. A Ponemon Institute survey found that almost half of companies would not meet the 25 May 2018 deadline.
So, if you haven’t finished your compliance project or have only just started, don’t panic – you’re not alone.
To help, IT Governance has created a checklist to highlight the essential steps your organisation must take in order to become GDPR compliant.
- Establish an accountability and governance framework
You must achieve support from management and assign a director who will have accountability for the GDPR. Data protection risk will need to be incorporated into the corporate risk management and internal control framework.
- Scope and plan your project
At this stage, if necessary, a data protection officer (DPO) must be appointed. You should also look at other frameworks that could help you with your compliance project, such as ISO 27001. The principles of data protection by design and by default should be assessed against your current or new processes and systems.
- Conduct a data inventory and data flow audit
You will need to look at the data that your organisation holds, where it comes from and what lawful basis you have for processing it. Mapping the data that flows throughout your organisation will enable you to identify the risks in your data processing activities.
- Conduct a gap analysis
A gap analysis will audit your current compliance position and identify the gaps that require remediation.
- Develop operation policies, procedures and processes
With the information gathered from the data flow audit and gap analysis, you will need to create Article 30 documentation. All data protection policies and privacy notices should be brought in line with the GDPR, and policies and procedures should be put in place to detect, report and investigate a personal data breach.
- Staff awareness
It is vital that your staff are aware of the importance of data protection and understand the basic principles of the GDPR. They should also be aware of the procedures that are being implemented to achieve compliance, as these may affect their role.
If you don’t know where to start, our GDPR Implementation Bundle will provide all the resources and tools you need to kick-start your project. It contains a documentation toolkit, gap analysis tool and an implementation and compliance guide.