In the first of three articles on EU General Data Protection Regulation (GDPR) compliance, we explain the first steps towards starting a compliance project and provide details on IT Governance solutions for those that need extra help.
- Establish an accountability and governance framework
The board must understand GDPR implications in order to support the project and allocate the resources required to complete it. A director will need to be assigned accountability for the GDPR ;data protection risk will need to be incorporated into the corporate risk management and internal control framework.
- Our book EU GDPR & EU-US Privacy Shield – A Pocket Guide is perfect for these first stages.
- Create a project team
A person or team must control the project and they will need a significant understanding of the business and the GDPR applies to its operations.
- Our Certified EU General Data Protection Regulation Foundation and Practitioner training courses will give your team the knowledge and skills required to implement an effective compliance program and fulfil the data protection officer (DPO) role.
- Our book GDPR – An Implementation and Compliance Guide is a useful resource for the project team.
- Scope and plan the project
Once the GDPR team is aware of the ins and outs of the Regulation, it will need to work out what parts of the business fall within the scope of the GDPR (business units, territories and jurisdictions).The team will also need to identify which standards and management systems may be affected or could contribute to GDPR compliance, e.g. ISO 27001. Speak to your IT team to find out if there are any projects starting soon that involve personal data, as these will be candidates for “privacy by design.” The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery but also from the inception of the product.
Conduct a data protection impact assessment (DPIA) to help organizations to identify, assess and mitigate e privacy risks with data processing activities. They’re particularly relevant when a new data processing system, process or technology is being introduced so that you can implement privacy by design.
Our GDPR – DPIA service provides an on-site assessment by one of our experienced data protection consultants. Contact one of our account managers for details.
In the next blog: steps 4–6.
Compliance is a journey and time is required to become and remain compliant – start today by contacting us.