Compliance with the General Data Protection Regulation and Data Protection Act 2018 (together referred to here as ‘the GDPR‘) is an information security governance issue as well as a legal issue. With this in mind, organisations may benefit from an approach that covers the legal, technical and operational aspects at the same time to allow for comprehensive data protection compliance. The following steps show how this can be rolled out in practice.
Step 1: Get management engagement
Becoming GDPR compliant could involve a significant commitment and culture change for your organisation. It is important that top levels of management know this and you discuss strategy with them at the start of the project.
Step 2: Raise awareness
Training for those involved in data processing in your organisation is a key part of GDPR compliance. This should cover GDPR standards generally and the practical impact GDPR will have on the organisation and its operation.
Step 3: Appoint GDPR resource
Check if your organisation needs a Data Protection Officer as soon as possible. This can be an external or internal appointment. Even if your organisation is not legally required to have a DPO, you may wish to appoint one anyway to ensure good data protection practice and mitigate data-related risks. If you do not have a DPO, ensure someone has responsibility for your organisation’s data protection compliance. Also, set up a core internal or external GDPR team representing key operational business areas to feed into data protection and the compliance project on an ongoing basis and to support the compliance lead.
Step 4: Carry out a data audit/GAP analysis
Carry out a Data Protection Audit/Gap Analysis to identify compliance levels and any gaps that need addressed. This should be used to create a privacy compliance plan to support your organisation’s compliance with GDPR.
Step 5: Identify the gaps and make a plan
Assign responsibility for ensuring actions to address any gaps highlighted as part of the Data Audit and Gap Analysis are completed, taking into consideration expertise, resources and capacity. This may include for example reviewing and updating privacy notices, reviewing organisational and technical measures, and updating outsourcing arrangements and data-sharing processes. It is important to stay compliant, so even when your organisation has completed its compliance plan, we would recommend you review your compliance measures annually or more frequently if needed.
This guidance is based on our understanding of current law and practice, which may be subject to future change. It is intended to give general guidance only and does not constitute any form of legal advice or recommendation. You should take professional advice before acting on the material contained in this guidance.