No. 7. GDPR compliance includes addressing four key ingredients: Data governance, breach response, risk assessment and finally compliance management. So one needs to assess your company’s governance of personal data and develop a road map. This may involve mapping current processes and designing management tools and standards. After your company is "transformed" or perhaps deemed to be operating in accordance with appropriate data management processes, one must undertake appropriate audits to assess how your company’s risk is being managed and what remediations need to be undertaken.
No. 6. Even if you are presently not compliant, establish a timetable and monitoring program. Each company’s journey will be different and each assessment of how personal data is being managed. Examine closely how your data governance program is being undertaken (be sure, among other things, that you are managing your data in accordance with your own policies). What protections do you have in place? What training programs do you have in place?
No 5. In assembling the GDPR roadmap, make certain individual owners are accountable for important aspects, including data breach reporting, anonymization, structuring data, privacy, privacy shields and cross-border data transfers. Map out who is directly responsible and who is responsible for enforcement. Identify the impacts and the priority areas.
No. 4. Identify your core areas of GDPR focus. You may have more areas of focus but be sure to include breach notification, data portability, consent, profiling, right to object, the responsibilities of the data privacy officer, and how third-party vendors may impact your compliance with GDPR.
No. 3. Undertake a gap analysis. Depending Upon the size and complexity of your business this could involve an extensive inquiry, complete with addressing what controls are currently implemented, what is the maturity of the controls, how does one validate evidence, and who is responsible for governance. The gap analysis should include identifying (i) policies and procedures that govern the collection and processing of data subject information;(ii) assessing whether you are transparent in communicating what the information will be used for; (iii) have you set explicit limits in the use of information; (iv) do you only have relevant information that aligns with your original lawful purpose for collection; (v) do you have appropriate safeguards on the personal information that will be processed ?
