A Systematic Approach to GDPR Compliance
The General Data Protection Regulation (GDPR) was introduced in April 2016 and became enforceable on 25 May 2018. It applies to the processing of personal data of data subjects (natural persons) within the EU by data controllers and processors, regardless where in the world the processing takes place. The GDPR is here to stay for years to come and compliance is not optional.
Acknowledge these facts and make a firm commitment to make it work for your organization and you will reap benefits across the entire enterprise.
GDPR compliance is not achieved through a “once-and-done” project, but requires an ongoing commitment to accountability, maintenance and support by everyone for an organisation to stay compliant.
ACTINUM Limited recommends to follow the proven systematic steps outlined below to become and stay GDPR compliant. You can count on ACTINUM Limited to help you all the way with our comprehensive service offering.
Establish Clear Accountability for GDPR Compliance in the Boardroom
- Get the Boardroom “on board” through regular updates and coaching.
- Gain firm commitment from the Boardroom, document it and communicate it – Only a real desire and visible and verifiable support for accountability at the highest level will ensure lasting organisational change and ongoing compliance.
- Assign a GDPR sponsor from within the Boardroom team (e.g. a Director for a Limited, identified at Companies House).
- Check that your organisation is registered with the ICO, as required. Take the ICO’s registration self-assessment.
- Determine if you need, or voluntarily wish to appoint a Data Protection Officer (DPO) who will report to the highest level of management.
- Review your corporate risk management processes and risk register and incorporate Data Protection into it.
Define the scope of your GDPR compliance programme
- Appoint a change / project manager with a background in data protection / GDPR who reports either to the DPO or to the boardroom sponsor.
- Determine which parts of your business are in scope of your GDPR compliance programme (e.g. sub-units, territories, etc), and define separate project stages / waves to reduce complexity if needed.
- Identify existing policies, procedures and processes.
- Build-in data protection by design from the beginning of every change you plan to apply.
- Nymity Research™ (now TrustArc) has identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to demonstrate compliance and has mapped these to the Nymity Privacy Management Accountability Framework™. The result is the identification of 55 “primary” technical and organisational measures that, if implemented, may produce documentation that will help demonstrate ongoing compliance with your GDPR compliance obligations (some activities may not apply to your organisation).
Conduct a structured gap analysis
- Document your current position. Start Top-Down.
- Determine what gaps there are vis-a-vis GDPR requirements.
- Identify and prioritise any required remediation actions.
Create a data inventory and document how data flows through your processes and systems
- What categories of data do you hold? Any special category data?
- Where does the data come from, where is it sent to?
- What are the lawful bases for the processing? Why?
- Conduct Legitimate Interest Assessments (LIA) where required, balancing your interests with the rights and freedoms of the individual data subjects.
- If you send your data outside the UK / EU / EEA boundaries perform a Transfer Impact Assessment (TIA).
- Review and determine data retention periods.
- Identify, appraise and prioritise risks in your data processing activities.
- Determine if Data Protection Impact Assessments (DPIAs) are required.
Update and develop policies, procedures and processes
- Update externally facing privacy statements and cookie notices and banners, as well as internal data protection and security policies.
- Determine how you identify and process the rights of a data subject (DSARs).
- Determine how you manage Data Breaches and execute within 72 hours. Test the effectiveness of your response processes annually like a fire-drill.
- Document ROPA – record of processing activities wrt personal data.
- List, review and update your contracts (e.g. with processors, employees, vendors, etc).
- Determine how you identify if a DPIA is required, and how to execute it.
- Review your existing data transfers outside the EEA for compliance.
- Define current consent mechanisms and ensure GDPR compliance (you may need to update your website).
- If your organisation sends electronic marketing messages, consider the Privacy and Electronic Communications Regulations (PECR) as well as GDPR.
- Clean-up your data bases and purge data where indicated.
Ensure data security through organisational and technical measures
- Update / document your information security policy.
- Determine who has access to which systems, what data, and why.
- Implement controls, e.g. Cyber Essentials.
- Work with your IT provider(s) (in-house and/or outsourced) to implement encryption and/or pseudonymization of personal data.
- Determine how you identify and process data breaches.
Management of Change / Communications
- Review and update job specs where indicated.
- Create / update your organisational training plan wrt GDPR.
- Train your staff regularly in the principles of GDPR and their roles and responsibilities in adhering to your (updated) policies and procedures.
Ongoing Compliance Monitoring and Maintenance
- Schedule regular audits of data processing activities and security controls.
- Keep your records, policies, procedures, and contracts up-to-date.
- Undertake DPIAs where required.
- Monitor and actively manage Data Subject Rights (DSARs), execute within 30 days.
- Monitor and manage Data Breaches, execute within 72 hours.
- Regularly report to the Boardroom the status of your organisation’s GDPR compliance and risks.
You can rely on ACTINUM Limited to guide you through your compliance programme using the systematic approach outlined above. Our advice and deliverables are aligned with guidance provided by the ICO.
We are approaching our work with an Agile mind-set and recommend short and targeted iterations (preferably days not weeks). This leaves you firmly in control of your budget and spend according to your business priorities and within your affordability parameters. After each iteration you decide what to do next.
We recommend that each iteration will be delivered to a pre-agreed Fixed-Fee-Fixed-Scope scenario, which provides you with targeted and pragmatic solutions, along with recommendations for next steps, for as long as needed.
As part of our services, we work with you to update and/or create policies and process documentation that is tailored to your specific needs, because no one-size fits all.
The services that ACTINUM Limited delivers are mostly technology agnostic. However, you can gain additional benefits from the fact that we are an associate of OneTrust, a global leader for GDPR and Privacy Management Software.
Where appropriate, ACTINUM Limited uses OneTrust software during our service delivery at our discretion, but we are not a SaaS reseller. However, on your instruction, we are happy to facilitate a short trial period during which we support you in assessing the suitability of the OneTrust GDPR Platform for your specific circumstances and requirements (“try before you buy”).
ACTINUM Limited are not lawyers and the advice we provide is general business advice only. Although we are very proud of our deep knowledge of EU data protection and privacy laws and practices, the advice we provide is not formal legal advice. You are strongly advised to engage with your lawyer and seek independent legal advice if you are in any doubt.
ACTINUM Limited takes all reasonable care to ensure that our services and advice are fair and accurate but we cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this web-site, however such loss or damage is caused.