GDPR (Post 4): Assessing Your Organisation’s Readiness
In the fourth and final post in our series on GDPR, we provide a bullet point summary of the key questions you should address when evaluating your organisation’s readiness for the new directive which comes into force on the 25th May 2018.
The Four Key Steps in Ensuring Compliance
As discussed in Post 2, there are four key steps in your organisation’s journey to GDPR compliance – Discover, Manage, Protect and Report.
With less than ten months before GDPR becomes a legal requirement, it is critical that your organisation undertakes an honest assessment of your current state of readiness.
The following key questions should be addressed:
Step 1: Discover
- Does GDPR apply to your organisation and to what extent?
- Have you undertaken an inventory of your organisation’s data, identifying what data is ‘personal’?
- Have you documented how and why this data is collected, where it is stored, how it is processed and shared, how it is used and for what purpose, how long is it retained for?
In terms of storage, GDPR adopts a very broad definition. Personal data held in customer databases, feedback forms, email content, photos, CCTV footage, loyalty program records, human resource databases and others are all in-scope.
Step 2: Manage
- Have you implemented policies, processes and procedures for the effective management of the personal data you hold?
- Does your organisation have a data governance plan defining policies, roles and responsibilities covering the access, management and use of personal data?
- Are your data handling practices compliant with GDPR?
- Does your organisation have an agreed data classification scheme enabling you to identify and process personal data requests?
Step 3: Protect
- Has your organisation implemented appropriate technical and organisational measures to protect personal data from loss, unauthorised access and disclosure?
- How secure is your on-premise computing environment?
- Are you fully utilising the comprehensive security solutions provided by the Cloud?
Step 4: Report
- How transparent and accountable is your organisation in terms of how you handle personal data?
- Do you maintain documentation defining how personal data is used by your organisation?
- Do you keep detailed records covering the processing and use of personal data?
- Do these records cover the purposes of processing; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries receive personal data; the legal basis of such transfers; organisational and technical security measures; and data retention times applicable to various datasets?
- Are auditing tools used to track and record?
We hope you have found this series of posts on GDPR useful. Parts 1 to 3 can be found here – GDPR.
Please do not hesitate to contact us for an informal chat about your GDPR requirements.