BEING GDPR COMPLIANT ISN'T JUST SOMETHING YOU DO,
IT'S SOMETHING YOU ARE!
Recital 78 of the GDPR - states what GDPR is and how you do it:-
“The protection of the rights and freedoms of natural persons with
regard to the processing of personal data require that appropriate
technical and organisational measures be taken to ensure that the
requirements of this Regulation are met."
The Recital goes on to say;
"In order to be able to demonstrate compliance with this Regulation,
the controller should adopt internal policies and implement
measures which meet in particular the principles of data protection
by design and data protection by default.”
If you suffer a Data Breach, the ICO won't ask if you are GDPR compliant, they will want to know what you did to comply!
What the ICO will want to see is an Audit Trail of what you did as part of your due diligence for GDPR and that you can demonstrate your process to GDPR compliance. They will want to see records of how you completed the process, when and how you trained your staff, what risk assessments you completed and what risks you included in the analysis and what mitigations you implemented to prevent a data breach. They will want to see that you have records of where you hold 'Personal Indentifiable Information' (PII) in your organisation, what measures you have put in place to protect it.
Being GDPR compliant isn't simply a case of purchasing a set of Policy and Procedures and putting your name on them, it's about transformation and changing the way you manage, protect and control the distribution of PII.
It's about ensuring that when you process Personal Data that it is done lawfully, fairly and transparently.