The clock is ticking down to the General Data Protection Regulation (GDPR) coming into effect in May 2018. But have you started your compliance project yet? If you haven’t, you risk being in non-compliance come 25 May. Neil Ford of IT Governance outlines 10 aspects of the GDPR that your review must cover.
The May 2018 General Data Protection Regulation (GDPR) compliance deadline is looming. Every organisation that processes personal data must be in compliance with the new law by 25 May or risk substantial regulatory fines from the Information Commissioner’s Office and legal action from aggrieved data subjects.
If you haven’t already, you must start your compliance project straight away or risk being in non-compliance. Make no mistake: this is a complicated activity that will significantly affect how your firm does business, and the clock is ticking.
If you have begun your compliance project, you’ll know that a good approach is to establish what you don’t already do – assess your current workflows, processes and procedures – to identify the compliance gaps that you need to fill.
Below is a checklist of 10 essential areas of the GDPR that you will need to review as part of your project.
1. Data protection governance – the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls and reporting mechanisms to monitor compliance are in place and operating throughout your firm.
2. Risk management – is privacy risk included in your corporate risk register? What corporate arrangements are in place for privacy risk management across your firm? To what extent does the corporate risk regime incorporate information-specific risks? Which risks to the rights and freedoms of natural persons are addressed?
3. GDPR project – the extent to which an appropriately staffed, funded and supported GDPR project is in place, and capable of delivering realistic objectives by 25 May 2018.
4. Data protection officer (DPO) – is a DPO mandatory, has one been appointed, is the role positioned appropriately and is the individual capable of delivering against the GDPR requirements?
5. Roles and responsibilities – the extent to which roles and responsibilities are defined and established through your firm, including necessary training and awareness.
6. Scope of compliance – it is essential that the scope of compliance is clearly defined, taking into account all the data processing in which your firm has a role, whether as a data controller or as a data processor, as well as any data-sharing activity. In order to determine the scope of compliance, you also need to identify all the databases that hold personal data, as well as all extraterritorial / cross-border processing.
7. Process analysis – it is essential to identify the extent to which each of the data processing principles are established for each process that involves personal data. Lawful basis for processing is a key area of consideration. Are there any processes for which a data protection impact assessment (DPIA) is mandatory, and for which processes might a DPIA help establish data protection by design and data protection by default?
8. Personal information management system (PIMS) – there is a wide range of documentation that is necessary to ensure you can effect and demonstrate compliance with the GDPR, such as a data protection policy, a data breach notification procedure, subject access request forms and procedures, data protection impact assessments, and consent forms. The scale of the documentation should be appropriate to the size and complexity of your firm. The PIMS should also address staff training and awareness.
9. Information security management system (ISMS) – the technical and organisational measures in place to ensure that there is adequate security of personal data held in hard copy or electronic form, or processed through your systems. This includes a review of methodologies for testing security, and established cybersecurity certifications, standards and codes of practice.
10. Rights of data subjects – you will need processes that will enable you to both facilitate and respond to data subjects exercising any or all of their rights.
By approaching your GDPR compliance in this way, you can prioritise your project and plan to tackle each area within appropriate timeframes and budgets.