GDPR Advisor

GDPR Compliance - 12 Step Guide

Whether we complete the Gap Analysis or not, we can assist in the actual GDPR compliance process, by providing advice and support on achieving GDPR compliance.

GDPR Compliance - 12 Essential Steps

1. Ensure consent can be demonstrated for all Personal Data held.

Ensure that you have a legal basis for processing the personal information that you hold and if you are depending upon consent, establish a procedure to  obtain the Data Subjects consent and a process to record it. Any personal information for which you don't have legal basis to continue processing on 25th may 2018, must be to deleted or anonymised.

Parental/Guardian consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13. It will be necessary to record and demonstrate not only the consent but proof that the person is actually the parent or guardian of that child.

2. Carry out a "Data Protection Impact Assessment" DPIA - where REQUIRED.

A risk-based approach must be adopted before undertaking higher-risk data processing activities. 

Data controllers will be required to identify processes that have an associated risk involved and will need to quantify that risk by carrying out an in depth "Data Protection Impact Assessment" to ensure the security, integrity and accuracy of the data.

3. Document every process

A data subject has the right to access all the data an organisation holds on them and because of this, any personal information processing systems will need to be documented.

Data processors will have direct legal obligations and responsibilities, which means that processors (external companies processing your data) can be held liable for data breaches. Contractual arrangements will need to be updated, stipulating responsibilities and liabilities between the controller and processor, these will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.

4. Formalise the agreements and processes for transferring data

Data portability will allow a user to request a copy of personal data in a format usable by them and electronically
transmittable to another processing system.

Anytime a Controller wishes to transfer data to a third party in the EEA (a Processor) or store data on a server on the internet in the EEA, there will need to be a written agreement in place with all those data processors to ensure that they agree to protect and process that data in accordance with GDPR.

You will not be allowed to transfer data to a 3rd Country that is not considered by the EU as having adequate data protection laws without a full DPIA and possible approval by the ICO. List of approved countries.

Following the European Court declaration in October 2015 that the Safe Harbour data transfer agreement with the USA was invalid, in February 2016 they established a new framework for transatlantic data flows called the EU-US Privacy Shield. Any organisation wishing to transfer data to the USA will need to ensure that they have a Privacy Shield agreement in place with each organisation. List of US Organisations signed up to the Privacy Shield.

5. Appointment of a Data Protection Officer (DPO)

Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition,
a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.

Firms whose core business activities are not data processing are exempt from this obligation.

The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”

The DPO will oversee the implementation of GDPR within the organisation and report both to board and be the main contact with the Information Commissioners Office (ICO).

6. Evaluate the organisation's Data Security

An assessment will need to be carried out of the security and protection currently implemented in all the organisations that process personal data, to ensure that every measure is put in place to prevent the occurrence of a data breach which could result in risks to the rights and freedoms of a natural person.

7. Monitoring  processes to ensure continuing GDPR compliance.

There will need to be constant monitoring for any changes made in the organisation's processing of personal data and a full "Data Protection Impact Assessment" completed before changing processes.

8. Data subjects have the right know the personal data held

There will need to be a procedure put in place to ensure that any request from a Data Subject for the Personal Information held by an organisation, can be delivered within 1 month of the request. The Data Subject also has the right to have data corrected, suspended or deleted and can even withdraw their consent for its use altogether.

9. Provide the IT security solutions

SecureDesk provide a portfolio of tools to help secure data within an organisation, including obtaining a Cyber Essentials or Cyber Essentials Plus certificate.

10. Complete an external security risk assessment

To validate the security for each organisation, it is recommended that a Cyber Essentials evaluation is completed and SecureDesk Limited can help you obtain this.

11. Establish a staff training program

Cyber Security is essential but without training staff about the risks and vulnerabilities of processing data, all the efforts to comply with GDPR could be lost in one simple employee slip, so staff training is vital.

12. There are new requirements for data breach notifications

A system needs to be established to report data breaches.

Data controllers will be required to report data breaches to their data protection authority (in the UK that is the ICO) unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.

Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.

Does your Organisation need help with its GDPR Compliance?

Please feel free to contact using the telephone number or contact form below
Contact Us - Telephone 01296 328448

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form :(

SecureDesk Limited
Suite 12, Midshires House,
Midshires Business Park,
Smeaton Close,
HP19 8HL

Telephone - 01296 328448
VAT No - 924 6049 24