• 1
    Establish Data Governance Framework
    Set out your business’s approach for data protection and assigning management responsibilities
  • 2
    Update Policies and Notices
    Build a data protection policy that is approved by the management, published and communicated to all stakeholders including staff, suppliers, and customers.
  • 3
    BUILD DATA ASSET MANAGEMENT PROCESS
    Build an asset register to record data processing activities with details about the personal data you hold, where it came from, who you share it with and what you do with it.
  • 4
    ESTABLISH LAWFUL BASIS OF DATA PROCESSING
    Document the various types of data processing you carry out and identify the legal basis for carrying it out
  • 5
    IMPLEMENT CONSENT MANAGEMENT PROCESS
    Request for consent should be prominent and separate from your terms and conditions. If current consent doesn’t meet the GDPR’s high standards, you will have to seek fresh GDPR-compliant consent.
  • 6
    INDIVIDUALS RIGHTS & DATA ACCESS RIGHTS
    Implement processes to recognize and respond to any individuals request. The individual should be able to verify the accuracy of the information you hold about them and modify/delete it
  • 7
    INTEGRATE WITH RISK MANAGEMENT
    Establish a set of security policies and procedures, and assign responsibilities to support good information risk management. Establish a policy which sets out when you should conduct a Data Protection Impact Assessment, who will authorise it and how it will be incorporated into the overall project plan
  • 8
    IMPLEMENT SECURITY CONTROLS
    Establish a process to monitor compliance of the security policies and regularly test the measures to provide assurance that they continue to be effective
  • 9
    CONTROL DATA TRANSFER OUTSIDE EU
    Ensure that any data you transfer outside the EU is handled in compliance with the conditions for transfer set out in Chapter V of the GDPR. Ensure that data security is in place, that is documented in a written contract using standard data protection contract clauses
  • 10
    CONTROL THIRD PARTY PROCESSING OF PERSONAL DATA
    Ensure that whenever your business uses a third party who processes personal data on your behalf, there is a contract in place. Make certain that you consider approved code of conduct or certification schemes to help you demonstrate that you have chosen a reliable processor.
  • 11
    ESTABLISH DATA PROTECTION OFFICE
    Evaluate need for Data Protection Officer on the basis of the nature of your business and data processing. Assign responsibility for data protection compliance to a suitable individual and provide appropriate training.
  • 12
    IMPLEMENT DATA BREACH MANAGEMENT
    Train staff on how to recognize and report incidents as soon as they become aware of them. Set a process to investigate and implement recovery plans.
  • 13
    ESTABLISH ICO COMMUNICATIONS
    Register with ICO and maintain auditable records of all communications to/from ICO
  • 14
    MANAGE CULTURAL CHANGE
    Provide data protection awareness training at regular intervals or as and when required. Test awareness levels of your staff.
  • 15
    AUDITS AND CERTIFICATION
    Get your program audited by internal, independent client auditors. Subscribe to certification schemes to demonstrate a level of readiness.

Accelerate your compliance

REQUEST A DEMO

Our easy to use compliance management system will handle it all.