Get Ready for GDPR: A Comprehensive 9 Step Plan for Compliance

The General Data Protection Regulation (GDPR) represents one of the most significant and far-reaching changes to data protection law in recent times. Implemented on 25 May 2018, this legislation has revolutionised how organisations collect, store, and use personal data within the European Union (EU) and beyond. Any organisation, irrespective of its location, that processes the personal data of EU citizens must adhere to the GDPR or face potentially hefty fines. Therefore, a robust and well-thought-out plan is essential to ensure compliance and avoid the pitfalls associated with non-conformance.

This comprehensive 9-step plan will guide you through the crucial measures your organisation needs to take to ensure compliance with GDPR.

Table of Contents

Understand the GDPR

Before implementing any plan, it’s vital to understand the core principles and requirements of the GDPR. The regulation is built upon several key concepts, including the need for transparency, accountability, and security when handling personal data.

Under GDPR, personal data is defined as any information that can identify an individual, directly or indirectly. This includes names, email addresses, IP addresses, and even behavioural data such as browsing history. The regulation also distinguishes between data controllers and data processors. The data controller is responsible for determining the purposes and means of data processing, while the processor handles the data on behalf of the controller.

Key principles under the GDPR include:

Lawfulness, fairness, and transparency: Personal data must be processed in a lawful and transparent manner.
Purpose limitation: Data must be collected for specified, legitimate purposes and not processed further in a manner incompatible with those purposes.
Data minimisation: Only data necessary for the specific purposes should be collected and processed.
Accuracy: Personal data must be accurate and up to date.
Storage limitation: Data should only be retained for as long as necessary.
Integrity and confidentiality: Personal data must be processed securely to ensure its protection from unauthorised access.

By understanding these foundational principles, organisations can better assess the potential impact of GDPR on their operations and the changes that may be required.

Conduct a Data Audit

A thorough data audit is one of the first tangible steps towards GDPR compliance. This involves mapping out the flow of personal data across the organisation, identifying where it is stored, how it is used, and who has access to it.

During the audit, focus on:

Data collection: Identify all the personal data your organisation collects. This could include information from customers, employees, suppliers, and partners.
Data storage: Determine where and how data is stored, whether on physical servers, in the cloud, or in paper form.
Data sharing: Identify the third parties with whom you share data, such as vendors, partners, or service providers.
Data retention: Evaluate how long the data is kept and whether this is necessary for the stated purposes.
Data security: Assess the security measures currently in place to protect personal data.

A comprehensive data audit will provide a clear overview of the current data landscape within your organisation and help you pinpoint areas of risk or non-compliance.

Appoint a Data Protection Officer (DPO)

Under the GDPR, some organisations are required to appoint a Data Protection Officer (DPO). While not all businesses are mandated to have a DPO, it is a good practice for those processing large amounts of personal data or handling particularly sensitive information to consider this role.

A DPO is responsible for overseeing data protection strategies, ensuring GDPR compliance, and acting as a point of contact between the organisation and regulatory authorities. They will also monitor internal compliance, manage data protection activities, and provide advice on data protection impact assessments.

Whether or not a formal DPO is required, every organisation should have a designated person or team responsible for GDPR compliance.

Ensure Lawful Basis for Data Processing

The GDPR requires that all processing of personal data be done based on a lawful basis. There are six recognised lawful bases under the regulation:

Consent: The individual has given clear consent for their data to be processed for a specific purpose.
Contract: Data processing is necessary for the performance of a contract with the individual.
Legal obligation: Processing is necessary to comply with a legal obligation.
Vital interests: Processing is necessary to protect someone’s life.
Public task: The processing is necessary to perform a task in the public interest or exercise official authority.
Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, provided these are not overridden by the individual’s rights.

Each organisation should review their data processing activities and determine the appropriate lawful basis for each instance of data processing. If consent is being relied upon, it must be freely given, specific, informed, and unambiguous. Additionally, individuals must be able to withdraw their consent at any time, and doing so must be as easy as giving it.

Develop a Privacy Policy

A clear and comprehensive privacy policy is essential for GDPR compliance. This document should explain how your organisation collects, uses, and stores personal data, as well as the individual rights of data subjects.

A GDPR-compliant privacy policy should include:

Contact details: The name and contact information of the data controller or DPO (if applicable).
Purpose of data collection: The reasons why the personal data is being collected and how it will be used.
Lawful basis for processing: The legal basis for processing the data, such as consent or contractual obligation.
Data sharing: Information on whether personal data will be shared with third parties.
Data retention: Details of how long the data will be retained and the criteria used to determine this period.
Individual rights: An outline of the rights individuals have under GDPR, including the right to access their data, the right to rectify inaccurate data, and the right to have their data erased (also known as the “right to be forgotten”).

The privacy policy should be easily accessible to all individuals whose data is being collected and should be written in clear, understandable language.

Establish Procedures for Handling Data Subject Requests

Under GDPR, individuals (referred to as data subjects) are granted a range of rights concerning their personal data. These include:

The right to access: Individuals have the right to request access to their personal data and information about how it is processed.
The right to rectification: If data is inaccurate or incomplete, individuals can request it be corrected.
The right to erasure: Also known as the “right to be forgotten,” individuals can request their personal data be deleted under certain circumstances.
The right to restrict processing: In some situations, individuals can request that processing of their data is restricted.
The right to data portability: Individuals can request their data be transferred to another organisation in a commonly used, machine-readable format.
The right to object: Individuals can object to the processing of their personal data, particularly in cases involving direct marketing.

Organisations must establish procedures for handling these requests in a timely and efficient manner. GDPR mandates that organisations respond to requests within one month, with the possibility of an extension to two months in complex cases.

Having a clear plan for managing data subject requests will help ensure that these rights are respected and that compliance is maintained.

Implement Data Security Measures

Data security is a key component of GDPR compliance. Organisations must take appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or destruction.

Security measures will vary depending on the size and nature of the organisation, but they should include:

Encryption: Encrypt sensitive data both in transit and at rest to protect it from unauthorised access.
Access controls: Limit access to personal data to only those employees who need it for their work.
Regular security audits: Conduct regular audits to ensure that security measures are effective and up to date.
Employee training: Train employees on the importance of data protection and how to handle personal data securely.
Incident response plan: Develop a plan for responding to data breaches, including notification procedures and mitigation strategies.

GDPR requires that in the event of a data breach, the relevant supervisory authority must be notified within 72 hours unless the breach is unlikely to result in harm to individuals. In some cases, affected individuals must also be informed.

Review Data Processing Agreements with Third Parties

Many organisations rely on third-party vendors or service providers to handle aspects of data processing, such as cloud storage or payment processing. Under GDPR, data controllers are responsible for ensuring that any third-party processors they engage with comply with GDPR standards.

It is crucial to review all data processing agreements with third parties to ensure they meet GDPR requirements. The agreements should include provisions that outline:

The nature and purpose of the processing.
The types of personal data involved.
The obligations of the processor to implement appropriate security measures.
The processor’s obligations in the event of a data breach.
The requirement for the processor to return or delete personal data once the processing is complete.

Ensuring that third-party vendors comply with GDPR is an essential part of protecting the personal data of your customers and employees.

Conduct Regular Reviews and Audits

Achieving GDPR compliance is not a one-off task. Ongoing monitoring, reviews, and audits are essential to maintain compliance over time. Data protection practices should be regularly assessed to ensure they remain effective and up to date with evolving regulations and technological developments.

Regular internal audits will help identify areas where data protection policies or procedures need to be improved. Consider:

Updating policies: As your organisation changes, so too may your data processing activities. Regularly review and update your privacy policy and other data protection documents.
Monitoring new technologies: Implementing new systems or technologies may introduce new risks to data privacy. Assess the impact of these changes and update security measures as needed.
Keeping staff informed: Data protection is the responsibility of everyone in the organisation. Ongoing training and awareness programmes should be conducted to ensure that all employees understand their role in maintaining GDPR compliance.

By regularly reviewing and auditing your data protection practices, you can ensure that your organisation remains compliant with GDPR and that personal data is handled securely and ethically.

Conclusion

GDPR compliance is not just a legal obligation but an opportunity for organisations to demonstrate their commitment to protecting personal data and respecting the privacy of individuals. While the path to compliance may seem daunting, the steps outlined in this 9-step plan provide a comprehensive approach to navigating the complexities of the regulation.

By understanding the key principles of GDPR, conducting thorough data audits, implementing robust security measures, and fostering a culture of transparency and accountability, organisations can minimise risks and build trust with their customers and partners.

Remember, GDPR compliance is an ongoing process that requires constant vigilance and adaptation to new challenges. By following this plan, your organisation will be well-equipped to meet these demands and ensure that personal data is handled in a way that is both legally compliant and ethically responsible.