10 Steps to GDPR Compliance

Whether you’re a beginner with GDPR or you’re quite advanced and just wanting a sanity check, we’re going to give you 10 Steps to GDPR Compliance to guide your journey.  You can see the sister video to this blog post in Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

Cisco’s 2020 Data Privacy Benchmark Study said, in the UK, there’s a 3.5 times return on investment on Privacy spend – and we can really believe it.  Stay with us to the end – we’ve got a fantastic Bonus Tip on how GDPR can become a revenue generator for you.

#1 Key People

Step 1 has to be the Key People.

For your project to really succeed, you need someone at senior level, maybe even a board member, who doesn’t just ‘talk the talk’ but, by their actions, shows people that GDPR and Privacy is important to your organisation.

Next, you need the day-to-day Privacy Champion that people can turn to with their privacy issues. Then he or she is going to have training on GDPR and Privacy and really be in charge of the Privacy programme.

In small organisations, these two people may be the same person.  And in larger organisations, you may be expanding this structure.

#2 Benchmark your Readiness

You can’t manage what you can’t measure, so Step 2 is to establish a benchmark, so you can score where you are and you can see how you progress.

GDPR is your ultimate benchmark, but you’ll be looking for a proxy for this that’s more workable.  You’ll use this scoring system against your chosen benchmark to see where you are now and where the gaps are, so you can target remediation – and you’ll be coming back to this time and again.

Keepabl’s SaaS includes our BenchMark, integrated into instant scoring, and so do other providers.  But Privacy’s very collaborative and we’re sure if you talk to other people in your situation, you’ll find everyone’s willing to share resources.

#3 Your Personal Data Inventory

The single most important step in your Privacy Governance is establishing an inventory of the personal data that your organisation processes: your Data Map.

This, together with your benchmark is really going to drive your program.  Your Data Map will tell you key information including:

• what categories of personal data you process,
• the purpose for each processing activity,
• the legal basis for that processing,
• who you share it with,
• how long you keep it for,
• what you do at the end of the day, as well as
• how you’ve secured this whole lifecycle.

And your Data Map is how you create your Article 30 Records, something all controllers and all processors must do under Article 30 of the GDPR.  These records of processing are not the same as your full inventory, it’s more of a summary, but you need the inventory to be able to do those.

Keepabl’s SaaS makes creating your Data Map super simple and, as you go, we instantly create your Article 30 Records, both as controller and processor, and many more of your GDPR records and KPIs.

#4 Remediation & Risk Management

Now you’ve got everything coming together, you can start up systematic remediation and you’ll also know who should be on your team and what they’re going to need to do.

All of the next steps we’re talking about are part of this remediation phase, and you’ll keep coming back to your benchmark and to your Data Map all the way through.

And now with your Data Map under way, it’s a great time to draft up your risk assessments, which GDPR calls ‘impact assessments‘.  There’s one that GDPR says you must do, called the Data Protection Impact Assessment, or DPIA, and that’s when there’s a likely high risk to individuals from your processing.

We’ve template and specimen DPIAs in our Privacy Policy Pack to help you here, that you can adopt or integrate into your own.

#5 Implement your Privacy Framework

You’ll now bring all this together into your Privacy Framework, driven by your policies and procedures, all those different checklists and the audits you’re going to do, the training and awareness – this is everything you do to create your Privacy Governance and maintain it as a living thing.

These are also the ‘appropriate technical and organisational measures‘ that GDPR requires you to have not only to comply, but to be able to demonstrate that compliance.

And all of this is key for implementing ‘Data Protection by Design‘ and ‘Data Protection by Default‘.  Data Protection by Design is essentially ensuring that you implement data protection principles at the outset of every project – they’re always considered.  Data Protection by Default is that implementing those data protection principles is your default position.

And now you’ll be in a position to start finalising those Data Protection Impact Assessments, and you’ll also be in a position to decide if you need a Data Protection Officer, a DPO, or an EU Representative, and appoint them.

#6 Security Review & Preparation

Now, you can’t have data protection without good security, it’s that fundamental, it’s one of GDPR’s seven principles.

And, for security, that familiar phrase ‘appropriate technical and organisational measures’ means you’re going to be looking at measures such as:

• encryption first and foremost – it’s fantastic for reducing the risk to data subjects and your risk of notifying breaches,
• access control,
• password managers,
• a mobile device management tool, so you can remote wipe lost devices, and don’t forget …
• good old physical security – the alarm on the building, visitor badges, walking around to make sure there’s clear desk clear screen.

You’ll also need to prepare for personal data breaches – they will happen.  Under GDPR, you must record them all, but you don’t need to notify them all.  You need to implement a risk assessment procedure when there’s been a breach, so you can decide what the risk is to the individuals concerned.

But you need to act quickly: there’s only 72 hours to notify the regulators, so you need to have a response plan in place, and a team ready.

Keepabl’s Breach Management solution lets you record breaches easily, triggering instant email alerts to your response team so they can react rapidly.  And you’ll find a great procedure for reacting to breaches, including whether to notify, built into our SaaS solution and expanded in our Privacy Policy Pack.

#7 Data Subject Rights

Data Subject Rights, or DSRs, have been greatly strengthened by GDPR and new ones have been added.  DSRs don’t always need action by the data subjects, such as the right to be provided certain information.  And they’re not all absolute so, for example, if someone withdraws consent to marketing, that’s an absolute and you have to comply, but others are not – you need to know what those conditions are.

GDPR’s DSRs include to:

1. withdraw his or her consent at any time (and it must be as easy to withdraw as to give consent),
2. be provided with information when personal data is obtained (whether from the data subject or another source),
3. obtain a copy of their personal data,
4. rectify (correct) any inaccurate personal data concerning him or her,
5. erase personal data concerning him or her (the ‘right to be forgotten’).
6. restrict processing their personal data on certain grounds,
7. port (transfer) their personal data,
8. object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, including profiling,
9. object at any time to processing of personal data concerning him or her for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing, and
10. not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or ‘similarly significantly affects’ him or her.

Again, some of these are absolute, some come with certain conditions or apply to certain data and not others.  You can see that, if you’re not prepared for when someone exercises their rights, these are not easy.  Again, Keepabl’s Privacy Policy Pack has procedures that identifies each right and helps you react in the right way.

#8 Review Your Processors

Processors are the suppliers who process personal data on your behalf.  Typical examples are CRM tools like Salesforce.com or HubSpot, or maybe a group member does payroll for all group companies.

You’ll need to identify all your processors, then prioritise that list so you can carry out due diligence, and put in place GDPR-compliant wording, starting with the highest risk first.

Before GDPR, processor wording was just a short paragraph in a contract and the required due diligence wasn’t so specified. GDPR clarifies what that due diligence should cover, and it’s a bit more involved.  And the contract wording has now become a 3 to 6 page ‘Data Processing Addendum’.  Thankfully, these are now pretty common.  And we’ve a great checklist for you on each of the due diligence and the contract.

#9 Privacy Notices

Yes, privacy notices were there before, but it’s one of those areas that’s been very much strengthened by GDPR.  You’ll have to review all of these and make sure you’re including everything you need to and they reflect your current practices.

Don’t forget, this is not just about the Privacy Policy on your website.  You’ll need an HR Privacy Notice for your employees, and you’ll put what’s called ‘Data Collection Notices’ – a layered data collection notice, typically with a brief description and a link to your Privacy Policy – whenever you’re taking personal data from somebody.

A great example of this is the cookie banner.  You’ll have seen that, because GDPR beefed up consent, cookie banners have become much more intricate.

#10 Training & Awareness

And the final step to make all this come alive: Training and Awareness.

Training and awareness means this whole Privacy Framework you’ve spent time building gets put into practice in the right way by the right people.

You’ll need to do an ‘All-hands’ training, and we recommend annually.  The UK ICO’s ‘Report a Breach’ form actually does ask: ‘did the people involved have data protection training in the last two years?’, but we recommend an annual refresher and obviously train new joiners.

You’ll also want to train certain teams a little bit more in their area.  So, Marketing, Investor Relations, these sort of teams will definitely need training on cookies, on cold calling, cold emailing.  And IT and Security will need training on the breach response for example.  Maybe Customer Support need training on recognising data subject rights.

And take the time to refresh security training too.

Bonus Tip: Reap the Rewards!

Here’s that Bonus Tip: Reaping the rewards from all of this hard work!

Don’t just put these great measures in place and leave them internal.  Put these great measures in place and then prepare to show this, to demonstrate this, to third parties.  Not because you have to, but because it’s a great way to overcome sales objections, it’s a great way to fly through investor due diligence and audits.

Create summary documents about your Data Protection practices and about your Information Security.  Maybe you’ve got a network you want to describe, or your infrastructure?   Believe us, these summary documents are worth their weight in gold and head off sales objections or due diligence follow ups before they even happen.

So there you go – 10 Steps to GDPR Compliance in less than 10 minutes!  We hope you find this a useful framework to look at your Privacy Governance.  We’ve also put links to the frameworks from the UK’s ICO, France’s CNIL and the European Commission below.

Please do take a look at our other blog posts and Privacy Kitchen‘s videos.  Do get involved – use #PRIVACYKITCHEN to tell us the topics and questions you want us to cover.

And do contact us to see how Keepabl can help you put all this in place quickly and manage it with low stress levels!

Stay well in the meantime, and we look forward to seeing you in Privacy Kitchen again soon!

Links

GDPR itself!

The UK ICO’s 12 Steps to GDPR Compliance

CNIL’s 6 Steps to GDPR Compliance

The European Commission’s 7 Steps to GDPR Compliance