5 steps to success for GDPR

Actions speak louder than words, and the same can be said for GDPR. It’s not enough to simply say that you’re compliant with the Data Protection Act updates. The challenges are about showing that you’re compliant and that you are able to manage it on an ongoing basis.

We’ve put together a simple approach to GDPR that will allow you to easily demonstrate that you can be trusted and are on the path to GDPR success.

Your GDPR preparations

We have boiled this down into 2 areas – the checklist from the Information Commissioner’s Office (ICO) and the way you plan to evidence your responses.

The ICO’s data protection self-assessment is a set of 7 checklists which ask you 120 questions about how you currently manage personal data. They cover questions for data controllers and processors, information security, direct marketing, records management, data sharing and subject access, and CCTV.

Once you have completed this self-assessment, it’s important to pause and prioritise the work required, as well as look at your budget and the resources you have. Your priority will be based on the biggest and most obvious threats and/or issues you have e.g. powerful stakeholder demands.

You will then want to think about how you are going to answer and evidence the 120 questions in the GDPR self-assessment. We suggest breaking these down into 8 areas where work needs to get done, both in terms of implementing then easily sustaining and improving in future.

1 – Information (and processing assets) you hold:

  • Personal data inventory and mapping of information flows
  • Records processing tracker
  • Asset register / inventory

2 – Risks: Confidentiality, Integrity, Availability

  • Identification & evaluation
  • Ongoing management including the demonstration of policies and controls in place and regular review of risks

3 – Policies and Controls Management:

  • Individuals rights and privacy policies & controls based on the risks
  • Information security policies & controls based on the risks
  • Aligning of policies and controls to recognised standards, certifications and regulations frameworks (where required to meet stakeholder expectations)
  • Regular reviews and demonstrating those have taken place

4 – Assessments and Requests to ensure privacy and security by design:

  • Legitimate Interest Assessments
  • Data Protection Impact Assessments
  • Subject Access Requests

5 – Incidents and BCP:

  • Security Incident Management
  • Business Continuity Planning and execution

6 – Staff:

  • Communications & awareness around privacy and information security – planned and as needs arise
  • Dynamic & continuous compliance as the organisation changes its policies, controls and practices

7 – Supply Chain:

  • Communications & awareness around privacy and information security – planned and as needs arise
  • Dynamic & continuous compliance as the organisation changes its policies, controls and practices
  • Contracts, contacts and relationship management
  • Beyond suppliers into go-to-market partners and others with access to personal data

8 – Whole System Coordination and Assurance:

  • Reporting and monitoring
  • Audits and reviews management
  • Visibility of progress and status at all times

Implementing your GDPR work…

…from the top down

Step 1 – Capture and document the information you hold in accordance with the records processing requirement, from both the controller and processor role perspective.

Step 2 – Risk assess and identify potential ways of protecting information and ensuring individuals rights to privacy are in place.

Step 3 – Describe the policies and controls along with other safeguards. You can use the ICO checklist again here as it’s a great way of seeing where they expect you to be covered.

Step 4 – Demonstrate that working in practice with your operational data processing systems, staff, supply chain, and other interested parties are all able to show understanding and compliance.

Step 5 – Monitor, review, audit and improve the whole system over time to deliver the commitment to privacy and information security that the ICO is expecting.

…and from the bottom up

Go back and review all of the ICO checklist questions and best practice guidance. This will give you a basis to demonstrate that you have considered each area of the GDPR.

Approaching GDPR using ISMS.online

We’ve created the following video for our customers that details how you can use the ISMS.online platform to create a quick gap analysis, follow the ICO steps to achieving GDPR compliance, and successfully manage it for the years to come.

Anna Taylor, the Operations Director at RecruitmentRevolution says…

“There’s no getting away from how complex GDPR is but the platform helps to put it all into perspective. ISMS.online makes it simpler to see what still needs to be done and gives practical content, tips and tools to help you meet the requirements. We have no idea how we would manage GDPR on an ongoing basis without it.”

Imagine starting GDPR with up to a 73% head start

Get the latest articles from ISMS.online straight to your inbox

The information in this blog is for general guidance and does not constitute legal advice.

Mark is the founder and Chief Executive of Alliantist, the organisation behind ISMS.online and pam, as well as the author of Alliance Brand – Fulfilling the Promise of Partnering.

ISMS Online Rating: 5 out of 5
Share This