The 12 steps to GDPR compliance

By Dr. Rey Leclerc Sveinsson, ERMProtect

The General Data Protection Regulation (GDPR) went into effect in May 2018, yet many multinational companies are still behind the compliance curve.  This sweeping regulation requires organizations to meet stringent data protection requirements affecting the personal data of EU citizens and, for the first time, also impacts companies that are based outside of Europe. With severe penalties in play - fines of up to €20m or 4% of global annual revenues - corporations must implement actionable and efficient strategies to achieve compliance.

A gap assessment will determine if GDPR applies to your organization. A GDPR gap assessment, among others offered by ERMProtect, will save you a lot of money and time. During the gap assessment, ERMProtect can determine applicability of requirements; identify gaps and areas of risk across people, process and technology; and develop a pragmatic roadmap and compliance action plan.

Click to englarge

ERMProtect's gap assessment roadmap includes policies and standards segmented into 12 components that will aid your organization toward GDPR compliance.

• Governance and Accountability - The GDPR requires all organizations to implement a wide range of measures to reduce the risk of their breaching the GDPR and to prove that they take data governance seriously. These include accountability measures such as: Privacy Impact Assessments, audits, policy reviews, activity records and appointing a data protection officer a (“DPO”).
• Data Protection Officer Role – Organizations must determine whether they are required to appoint a DPO. A determination and documentation of the determination must be in place when addressing the Data Protection Officer requirements.
• Privacy by Design and Secure Processing - Organizations must implement technical and organizational measures to show that they have considered and integrated data compliance measures into their data processing activities.
• Principles and Processing Activities – ERMProtect checks whether you’ve implemented processes and procedures for each GDPR principle involving personal data and determines whether a lawful basis for processing personal data has been identified and documented, as required.
• Data Protection Impact Assessment - A methodology must be in place to assess risks for specific areas, systems or projects; to update system provisioning processes, policies, procedures, roles, and technical standards; and to review and align with an Enterprise Risk Framework. ERMProtect can develop a program with privacy risk management best practices or perform detailed data protect impact assessments. This includes how you tackle upholding the rights and freedoms of data subjects.
• Consent and Information Disclosures - Consent to use a subject’s data must be presented clearly and easily revoked. It is unlawful to require a subject to consent to use of his or her data in exchange for access to a service.
• Data Subject Requests, Notifications and Communications - GDPR requires a standardized process to review and efficiently handle requests from data subjects to obtain the data collected on them, correct it or remove it. Data Subject Access Requests (DSARs) must be handled within 30 days.
• Data Subject Rights - ERMProtect ensures you have a process in place for facilitating data subjects’ rights, including responding to Data Subject Access Requests (DSARs).
• Transfers, Sharing and Third Parties - Transfers of personal data to recipients in “third countries” (i.e. outside of the European Economic Area (“EEA”) continue to be regulated and restricted in certain circumstances. Breach of the GDPR’s data transfer provisions is identified in the band of non-compliance issues for which the maximum level of fines can be imposed (up to 4% of annual turnover).
• Training and Competency – A GDPR awareness campaign must address multi-channel stakeholders and offer specific training materials for employees, HR, IT, Customer Support, Marketing, and other key stakeholder areas.
• Audits and Monitoring – A program should be in place to conduct an independent review and audit of your existing GDPR program to identify potential areas of improvement and ongoing compliance.
• Breach Management – GDPR requires incident response preparedness, response and notification plans to help companies meet the 72-hour breach notification requirements.