Step 1: Know the steps
Make sure that decision-makers and key staff know about GDPR and understand its implications.
Step 2: Know how to check if there’s a breach
Organisations with ISO/IEC 27001 will already have these procedures, but otherwise check your means of detecting, investigating and reporting personal data security breaches.
Step 3: Check your privacy policy
Review and update the organisation’s data privacy policy to align it with GDPR.
Step 4: Stay on the right side of rights
Check your procedures to make sure they uphold the rights of the individuals whose data you hold, e.g. the right of access to their data; to have their data deleted, etc.
Step 5: Make sure you respond in time
Check and if necessary update procedures so you can turn data requests around within the new one-month requirement.
Step 6: Demonstrate compliance
Identify the lawful basis of your processing activity, document it and update your privacy notice accordingly.
Step 7: Manage consent correctly
Check how you ask for, record and manage consent to use personal data, and update existing consents.
Step 8: Know what data you’ve got
Review and document all the personal information held including its source (how you got it) and who it’s shared with.
Step 9: Confirm who’s in charge
Designate or confirm who’s responsible for data protection compliance and make sure they have the authority to be effective.
Step 10: Understand the international context
If you do cross-border data processing in more than one EU state, decide which is your lead data privacy supervisory authority, based on where you make your most significant data processing decisions.
