This website uses cookies. View our cookie policy
Close
USA
Select regional store:

GDPR compliance checklist: the key steps to GDPR compliance

If you’re an organization in North America to which the EU General Data Protection Regulation (GDPR) applies, the ability to prove GDPR compliance is critical. A comprehensive and effective privacy compliance framework will develop evidence to support your compliance claims.

This checklist – with recommended solutions – highlights the essential steps you need to take to prepare for the GDPR and demonstrate compliance.

 

1. Establish an accountability and governance framework

To do

  • Brief management on GDPR risks and benefits
  • Gain management support for a GDPR compliance project
  • Assign a director with accountability for the GDPR
  • Incorporate data protection risk into the corporate risk management and internal control framework

 

We recommend

EU GDPR & EU-US Privacy Shield – A Pocket Guide

US organizations that process EU residents’ personal data will be able to comply with the GDPR via the EU-US Privacy Shield. This pocket guide provides an essential introduction to this new data protection law, explaining the Regulation and setting out the compliance obligations for US organizations in handling data of EU residents, including guidance on the EU-US Privacy Shield.

Learn more and buy >>

 

2. Scope and plan your project

To do

  • Appoint and train a project manager, and appoint a data protection officer (DPO) if necessary
  • Identify which entities will be in scope: business units, territories, jurisdictions
  • Identify your organization’s lead supervisory authority in the EU
  • Identify other standards or management systems that could provide a framework for compliance, e.g. implementing ISO 27001 demonstrates information security best practice
  • Assess the principle of data protection by design and by default against current or new processes and systems
  • Consider Brexit implications in your planning

 

We recommend

EU GDPR – An Implementation and Compliance Guide

This guide details the Regulation’s requirements and provides practical advice on implementing a compliance framework.

Learn more and buy >>

 

Certified EU GDPR Foundation and Practitioner Combination Course

Gain knowledge of the GDPR, and a practical understanding of the methods and tools for implementing and managing an effective compliance framework.

Learn more and buy >>

 

DPO as a service (GDPR)

DPO as a service is a practical and cost-effective outsource solution for organizations that don’t have the requisite data protection expertise and knowledge to fulfill their DPO obligations under the GDPR.

Learn more and buy >>

 

3. Conduct a data inventory and data flow audit

To do

  • Assess the categories of data held, where it comes from, and the lawful basis for your processing
  • Map data flows into, within, and from your organization
  • Use the data map to identify the risks in your data processing activities and whether a data protection impact assessment (DPIA) is needed

 

We recommend

Data Flow Mapping Tool and Compliance Manager

This Cloud-based software simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes. Integration with Compliance Manager allows you to track your compliance with the GDPR articles.

Learn more and buy >>

GDPR data flow audit

Receive, through an onsite audit, an inventory of the types of personal data collected and processed in your organization, and a data flow map.

Learn more and buy >>

 

4. Conduct a detailed gap analysis

To do

  • Audit your current compliance position against the GDPR’s requirements
  • Identify compliance gaps requiring remediation

 

We recommend

EU GDPR Compliance Gap Assessment Tool

This questionnaire-driven tool helps you assess your organization’s compliance position and identify gaps for remediation.

Learn more and buy >>

GDPR Gap Analysis

Get an on-site assessment of your organization’s privacy management and data protection practices, and a report summarizing compliance gaps and remediation recommendations.

Learn more and buy >>

 

5. Develop operational policies, procedures, and processes

To do

  • Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis
  • Bring data protection policies and privacy notices in line with the GDPR
  • Where relying on consent, ensure quality of consent meets new requirements
  • Review and update employee, customer, and supplier contracts
  • Plan how to recognize and handle data access requests and provide responses within a month
  • Have in place a process for determining whether a DPIA is required
  • Review whether the mechanisms for data transfers outside the EU are compliant

 

We recommend

EU GDPR Documentation Toolkit

A complete set of easy-to-use and customizable documentation templates, worksheets, and policies to document compliance with the GDPR.

Learn more and buy >>

 

 

6. Secure personal data through procedural and technical measures

To do

  • Have an information security policy
  • Put in place basic technical controls such as those specified by established frameworks such as Cyber Essentials
  • Use encryption and/or pseudonymization where appropriate
  • Ensure policies and procedures are in place to detect, report, and investigate a personal data breach

 

We recommend

Cyber Essentials

Cyber Essentials is a world-leading, cost-effective assurance mechanism for companies to demonstrate their use of important basic cyber security controls.

Learn more and buy >>

Penetration testing

Undertake a security assessment of your websites and IT systems to ensure there is adequate protection against cyber attacks.

Learn more and buy >>

 

7. Communications

To do

  • A GDPR project is a business change venture – effective internal communications with stakeholders and staff is key
  • Employees need to understand the importance of data protection and be trained on the basic principles of the GDPR and the procedures being implemented for compliance

 

We recommend

GDPR Staff Awareness e-learning Course

This simple-to-use interactive modular e-learning program for employees introduces the GDPR and the key compliance obligations for organizations.

Learn more and buy >>

 

8. Monitor and audit compliance

To do

  • Schedule regular audits of data processing activities and security controls
  • Keep records of personal data processing up to date
  • Undertake DPIAs where required

 

 

 


Speak to an advisor

Please contact our GDPR team for advice and guidance on our products and services