The following is a guide with all the steps to be followed in order to termed as GDPR compliant.
2. Document and store information of any internal meetings on matters GDPR and the subsequent decisions made from these GDPR meetings.
3. Have and name a specific data protection personnel.
4. Map all your data. This means that you should state in clear terms which type of data your company collects and where.
5. Separate this data into different distinct categories.
6. Identify specific lawful basis for managing all the different categories of data.
7. Make sure to renew consent where it is necessary. It is crucial that you consult established data processors which ensures that they are have complied too. A good example of an established data processor company is a company like Mailchimp. You should be extra cautious in this step since it a bit more complicated and even more bigger corporations like Honda have been in trouble because of this.
8. Create a policy which will identify and manage data subject admission requests.
9. Create and roll out a strategy which will be responsible for handling any data deletion or rectification requests.
10. Formulate a non-compliance document for the purpose of showing awareness of compliance omissions. This document should also show a plan of full compliance or at the very least reduce risk mitigation.
11. Come up with a password policy. This policy should be targeted to all company staff.
12. Reach out to your whole database (marketing or otherwise) and choose to opt in to the varied means of communication that you plan to send. This should STRICTLY be done before the 25th May 2018. This is to test whether a person should expect to get an email about a certain topic from you. For example, sending an email about the opening time of your swimming pool to a member of that particular swimming pool is acceptable. However, sending the same person an email about new swimming merchandise especially when they have not requested for this information might be deemed as unethical
13. Keep a separate document which has records of people who have opted-in and others who are yet to opt-in.
14. Create a specific retention schedule which will be used for data. If this data reaches the stipulated retention period, destroy the data in a manner which is in accordance with the regulations.
15. You are responsible for training your personnel to ensure they are knowledgeable on what makes up personal data. You get extra bonus points if you practice different case scenarios with your staff and also if you create a staff GDPR Staff Awareness Status Report which records the staff who participated in this training.
16. You are expected to train your members of staff on how to identify any kind of breach and how to detect email scams
17. Create a policy for breach response.
18. Have a log which records data breaches. This log will record actions such as "Staff x sent a products list email to Tom Smith in the technology department and not Tim Smith in the products department."
19. For security reasons, make sure that your company's website is HTTPS.
20. It is also very important to ensure that your company's devices such as computers and other related machinery are encrypted where possible. If you are using a MAC device you can encrypt it by
21. Document physical storage of data. This includes data in USB disks, physical files and in other formats.
22. You are responsible for locking and securing all data.
23. Register the different serial numbers of your company's computers in an asset register. This should be done regardless of the information that is contained in these computers. In the case a computer is stolen, you might need to the Information Commissioners Office (ICO) that the particular computer did not contain personal data.
24. Review which members of staff should access information on your company's devices.
25. Update your company's website policy on privacy. This update should include - Data retaining period
- Specific identification of the controller
- The clear purpose of processing
26. Mention the specific cookies that your website uses. This should also be accompanied by the option to opt-in or not. This is a pivotal step since you can only provide the users with a Google Analytic tracking script if they only opt-in.
27. It is recommended that you consult with experts on both the legality and technical aspects of these changes. This will provide you with information on your compliance process.
Do you have a website? and want to stay compliant with GDPR regulations.