Imagine yourself standing at the center of a map, surrounded by the various paths and destinations of your GDPR compliance. This is your “You are here” moment—a chance to assess where you are before you chart a course forward. Knowing your starting point is as important as your destination. And in the case of complex journey of GDPR it is essential to take a few moments to take stock of your current policies, procedures, and practices., your GDPR requirements, available tools and techniques.
Take stock of your current Policies and Procedures
Any live and operational organization has existing policies, procedures and practices that need to be modified on regular basis to keep up with evolving business requirements. So with change in business requirements we change the artifacts and our practices. These changes further demand assessment and evaluation of the existing system with respect to industry standards and government regulations.
GDPR is one such business requirement that is binding on the organizations and has considerable impact on the way businesses process individuals’ personal data. So start with a list of existing policies and procedures what each one of those do. In GDPR parlance these are known as Technical and Organizational Measures.
Knowing your GDPR Requirements
Once you have discovered what you have got you need to know what is that you don’t have. There is one-size that fits all, different companies have different requirements. It depends on size of the company, type of personal data the company deals with, geographical area of operation etc. Consequently, this demands filling in the ready made checklists. Following are the high level items that need to be gauged:
1. Privacy Policy:
• Does the policy include a clear and comprehensive statement about the company’s data processing activities?
• Does the policy include specific information about the rights of data subjects?
• Does the policy include a section on how long data will be retained?
2. Data Processing:
• Is the company aware of the data it collects and holds?
• Does the company have a legal basis for collecting and processing data?
• Are the appropriate safeguards in place to protect data?
• Is there a process in place to respond to data subject access requests?
3. Data Breaches:
• Is there a procedure in place to detect, investigate and report any data breaches?
• Is there a system in place to inform the relevant authorities and data subjects of any data breaches?
4. Training:
• Are all staff members aware of their obligations under the GDPR?
• Have all staff members been trained on GDPR compliance matters?
5. Data Protection Officer (DPO):
• Is there a designated Data Protection Officer in place
6. Third Parties:
• Are all third parties aware of their obligations under the GDPR?
• Is there a process in place to ensure that data is only shared with compliant third parties?
7. Records of Processing Activities:
• Are records of processing activities kept up to date?
• Are records of processing activities accurate and comprehensive?
8. Complaints, Consents and Access Requests:
• Is consent being obtained in accordance with the GDPR?
• Is it clear to data subjects how and why their data is being collected?
• Are data subjects aware of their right to withdraw consent?
For details on please explore other parts of the blog.
GDPR Compliance Automation Tools
Explore the Automated Tools available in the market that can help you achieve your compliance goals. Compare the features, benefits and price offer of each of the tools.