Achieving and retaining compliance will be a long journey for any organization, so we put together what we think are the key stages of any GDPR compliance project, along with some IT Governance solutions to help you along the way.
4) Build a data inventory
To assess what measures are needed to align your data processing with the GDPR, you must first identify which categories of data are held, where the data comes from and the lawful basis for processing it. There are special categories of data that entail stricter processing rules, such as getting explicit consent from the data subject.
5) Conduct a data flow audit
It’s essential to understand the flow of personal data within the business, where it comes from and where it is sent. This will help you to identify risks in data processing activities and where controls are required.
You can then decide whether a data protection impact assessment (DPIA) is required to help identify, assess and mitigate or minimize privacy risks with data processing activities. The three primary conditions for a DPIA identified in the GDPR are:
- Systematic and extensive evaluation of personal details relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person.Similarly, any decisions thatsignificantly affect the natural person are considered.
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
- Systematic monitoring of a publicly accessible area on a large scale.
- Our Data Flow Mapping Tool software allows you to create data flow maps with a simple, easy-to-use interface.
6) Conduct a detailed gap analysis
It’s vital to gain an understanding of your compliance level with the GDPR. A gap analysis highlights this as well as offers guidance on the key areas your organization must address. Our EU GDPR Compliance Gap Assessment Tool is designed to allow organizations to assess their own compliance status, and our GDPR Gap Analysis service provides an on-site assessment. One of our experienced consultants will supply a detailed report on the compliance status of your business and provide guidance on next steps.
In the third and final blog: steps 7–9.
Here’s the first blog of the series.