Implementation of the European General Data Protection Regulation (GDPR) can be complex and challenging. As you implement, it is important to understand if your plan is going in the right direction or not. Let us go through the key GDPR implementation steps that your project must include.
As the checklist is closely linked to GDPR requirements and principles, you can read these articles: A summary of 10 key GDPR requirements and Understanding 6 key GDPR principles.
1) Prepare for your GDPR project.
- Create a project plan to implement GDPR.
- Include the right stakeholders in your GDPR project.
- Conduct a readiness assessment to find out what tasks you need to perform.
- See also:
2) Define your Personal Data Policy and other top-level documents.
- Create an internal Data Protection Policy for personal data.
- Create other top-level policies as needed – e.g., the Data Retention Policy.
- Create awareness among employees about key GDPR requirements.
- Make a decision with regard to the assignment of a Data Protection Officer, and make sure the decision is documented.
- If required, appoint a Data Protection Officer and communicate their name to the Supervisory Authority.
- See also: The role of the DPO in light of the General Data Protection Regulation
3) Create an inventory of processing activities.
- List your processing activities and how these map to legitimate purposes defined in GDPR.
- Be sure your company has published the necessary privacy notices for data subjects.
4) Define an approach to manage data subject rights.
- Implement data subject rights through establishing a legal basis for processing.
- Data subjects can provide consent and request access.
- Your company must keep a record of data subject rights requests.
- See also:
5) Implement a Data Protection Impact Assessment (DPIA).
- Conduct a DPIA when initiating a new project, or when implementing a change to your information systems or a product.
- See also: Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR
6) Secure personal data transfers.
- Analyse what personal data is being transferred outside of your company, and when.
- Take necessary legal and security measures to adequately protect personal data when personal data is transferred outside of the company.
7) Amend third-party contracts.
- Amend third-party contracts that include processing of personal data to become compliant with the GDPR.
8) Ensure the security of personal and sensitive data.
- Implement the necessary organisational and technical measures to protect the personal data of data subjects.
- Consider privacy and protection when designing new systems and processes.
- See also:
9) Define how to handle data breaches.
- Set up the processes to identify and handle personal data breaches.
- Prepare for notifications to the Supervisory Authority and data subjects, if required, in the case of a personal data breach.
- See also: 5 steps to handle a data breach according to GDPR
Depending on the results of the readiness assessment you performed at the beginning of your project, you might not need all the steps that are displayed here; however, if you have no privacy protection in place, it is likely that you will have to perform all the mentioned steps.
In any case, make sure you have implemented all the relevant steps – otherwise, you might have to pay some rather high fines for being non-compliant.
Download this free Checklist of Mandatory Documentation Required by EU GDPR and learn how to structure each document according to the EU GDPR.
To learn more about the biggest priorities to comply with GDPR on time, see this article.