What is GDPR compliance?
The GDPR (General Data Protection Regulation) is an EU data protection law that came into effect on 25 May 2018. The Regulation replaces the 1995 EU Data Protection Directive.
GDPR compliance means that an organisation has taken steps to ensure they are meeting the requirements of the General Data Protection Regulation (GDPR).
GDPR compliance involves implementing processes and procedures to protect the personal data of EU citizens, such as ensuring that data is collected and stored securely, informing individuals of how their data is being used, and allowing individuals to see, amend, or delete their data.
UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.
What is required for GDPR compliance?
Have you taken the necessary measures to get GDPR compliant? If not, you’re not alone. We’ve distilled everything you need to achieve and maintain GDPR compliance into the simple nine-step checklist below.
GDPR compliance checklist
1. Obtain board-level support and establish accountability
2. Scope and plan your GDPR compliance project
3. Conduct a data inventory and data flow audit
4. Undertake a comprehensive risk assessment
5. Conduct a detailed gap analysis
6. Develop operational policies, procedures and processes
7. Secure personal data through procedural and technical measures
8. Ensure teams are trained and competent
9. Monitor and audit compliance
1. Obtain board-level support and establish accountability
GDPR compliance requires board-level support. This means the board must understand the implications of the Regulation to allocate the resources needed to achieve and maintain compliance.
The board should also assign someone to be accountable for compliance within the organisation.
What you need to do:
- Advise the board about data protection risks and the benefits of GDPR compliance.
- Obtain management support for your GDPR compliance project.
- Assign accountability for GDPR compliance to a director.
2. Scope and plan your GDPR compliance project
Once you have obtained top-level support, you need to determine what areas of your organisation fall under the GDPR’s scope.
What you need to do:
- Appoint and train a project manager.
- Appoint a DPO (data protection officer) if necessary. If you’re unsure whether or how to appoint a DPO, visit our DPO information page.
- Identify standards that could provide a framework to help you establish your compliance priorities:
- The international information security standard ISO 27001 can help you apply data security best practices. This will help you meet the requirements for appropriate technical and organisational security measures of the GDPR (Article 32).
- Other standards have been developed to enable compliance with essential privacy laws. These include ISO 27701 the international standard for privacy information management and BS 10012 the standard for a personal information management system.
3. Conduct a data inventory and data flow audit
To comply with the GDPR's data processing requirements, you must fully understand what data you process and how you process it.
You can conduct a data inventory and data flow audit to achieve this.
A data inventory is a list of all the personal data you hold, where it came from and who you share it with. A data flow audit is a procedure that maps out all the personal data you process, from its original source to its destination.
You can use the results of your data inventory and data flow audit to develop a data processing policy that complies with the GDPR.
What you need to do:
- Assess the categories of data you hold, where it comes from and the lawful basis for processing.
- Create a map that shows how data flows to, through and from your organisation.
- Create records of personal data processing activities, as required by Article 30, drawn from the data flow audit and gap analysis.
4. Undertake a comprehensive risk assessment
Risk assessments play a crucial role in any GDPR compliance plan. The GDPR encourages a risk-based approach to data processing. This enables organisations to develop appropriate measures to manage their risks. However, the Regulation does not clarify how you should assess and quantify those risks.
What you need to do:
- Establish a risk assessment plan.
- Analyse and evaluate your risks.
- Determine ways to control your risks.
5. Conduct a detailed gap analysis
Conducting a GDPR gap analysis will help you identify any areas which may need to be addressed to ensure you are fully compliant with GDPR’s requirements.
What you need to do:
- Audit your current compliance position against the GDPR’s requirements.
- Determine which compliance gaps require remediation.
6. Develop operational policies, procedures and processes
You should bring your existing policies, processes and procedures into line with the GDPR’s requirements and develop new ones to fulfil your legal obligations.
What you need to do:
- Ensure your data protection policies and privacy notices align with the GDPR.
- Review employee, customer and supplier contracts and update them if necessary to cover personal data processing.
- Have a process in place for determining whether a DPIA is required.
7. Secure personal data through procedural and technical measures
Article 32 of the GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure that personal data is processed appropriately.
What you need to do:
- Implement basic technical controls specified by established frameworks like Cyber Essentials.
- Use organisational controls where appropriate.
- Ensure policies and procedures are in place to detect, report and investigate personal data breaches.
8. Ensure teams are trained and competent
Staff awareness and education are vital components of any organisation’s GDPR compliance framework. Everyone involved in processing data must be appropriately trained to follow approved processes and procedures.
What you need to do:
- Ensure internal communications with stakeholders and staff are effective.
- Train your employees to understand the importance of data protection, basic GDPR principles and the procedures you have implemented to ensure compliance.
9. Monitor and audit compliance
GDPR compliance is an ongoing project – a journey rather than a destination. You should undertake periodic internal audits and regularly update your data protection processes. This includes checking your records of processing activities and consent, testing information security controls and conducting DPIAs.
What you need to do:
- Schedule regular audits of data processing activities and security controls.
- Keep records of personal data processing up to date.
- Undertake DPIAs where required.
- Assess data protection practices and manage some of the more demanding elements of GDPR compliance.
Download the checklist today
Download your own free, printable copy of the GDPR compliance checklist now.
Find out more
GDPR compliance resources
For more information about achieving – and demonstrating – GDPR compliance, read our blogs:
Achieve GDPR compliance with our all-in-one solutions
Whatever stage you’ve reached in your GDPR compliance project, we have everything you need to make it easier and more cost-effective.
Find out more