Seven simple steps to GDPR compliance

As the GDPR compliance deadline looms ever closer, everyone seems to be asking the same question – is your business fully prepared for the new regulations?

We can’t lie, the time to get organised is slowly running out. But before panic sets in, the team at Pimble have put together some simple steps, which will help to get you focused on the task in hand and hopefully back on track.

So let’s get started!


Step One – Take responsibility


We begin with a relatively easy – but important step. Whatever the size of your business, it will help to have at least one dedicated person who will take responsibility for GDPR compliance. A Data Protection Officer, or someone who can oversee all the different aspects of becoming, and remaining, compliant.

Ensure management and stakeholders are fully briefed about your GDPR plans – mainly because you will need their support. Depending on your business size, you may require an additional budget or need extra personnel to ensure the right changes or technical upgrades are made.

At this point it will also help to make sure that data protection risk is incorporated into your company’s Risk Management or Internal Control framework.


Step Two – Get planning


Start by looking at the big picture. And by that we mean identify which areas of the business use, collect, store or move personal data. Knowing the amount of data you have and how you use it will help you identify which areas of the business will need closer inspection.

It may be useful to look at other standards or management systems that you have in place, to see how the processes they use may help. For example, if you have gained ISO 27001, you may already be following best practice for information security.

And don’t forget to plan ahead – it might not be happening for a while, but it’s worth considering how Brexit may affect any plans you want to put in place.


Step Three – Know what you have – and how you use it


Forewarned is forearmed – as the saying goes, so knowing how you currently collect, use and store data, will mean you’re forearmed for the changes you’ll need to implement moving forward. It may help to map the journey of your data – from being collected through to where it goes within the business. Once you have this map you will have a clearer view of where there could be non-compliant procedures in place or higher risks of data breaches.

This may be a good time to consider whether a Data Protection Impact Assessment (DPIA) would be useful.


Step Four – Time to see what’s missing


Now that you have a thorough overview of current data handling procedures, you can start to see what is missing when it comes to GDPR compliance.

Compare what you have, to what you need to have and you will be able to highlight the areas of compliance that will need attention. The likelihood is, not every process will need a complete overhaul, but once you identify the gaps, you can start to put together a definitive plan of how to make the right changes to your processes – changes that fit with your business.


Step Five – Out with the old, in with the new


With the knowledge of what you already have in place and how it needs to change, you can start to put together your Article 30 documentation.  Likewise, you can now bring together, and fully update, all your data protection policies in line with the new regulations.

Don’t forget, you will need to cover areas including:

  • How consent is given when data is collected. Is your process lawful?
  • Look at employee and supplier data, as well as customer information
  • Define how you will handle data access and the removal of data if requested
  • Ensure all data held is secure and that procedures are in place to cover a data breach

This list is by no means exhaustive and, depending on the size of your business, there may be more areas to consider. For example, if you move data outside of the EU, be sure you are also being compliant in that instance too.


Step Six – Get the word out


Becoming GDPR compliant isn’t just a one-off; it’s an on-going process and should be treated like any major business change. So communicate the changes, why you’re making them and how things will work going forward, with everyone in the business – management, stakeholders and staff of all levels.

All employees must understand the importance of data protection for your business, as well as the part they play in maintaining it. GDPR compliance is a team effort.


Step Seven – Keep on top of it


Like we said, keeping your data procedures compliant is a continuous process, so be prepared to undertake on-going audits of your data activities, as well as checking your security controls regularly.

Keep all policies and processes up to date and consider taking a DPIA if needed.


For more information or advice on GDPR and what it means to your business, just get in touch.