Identify and map all personal data processed by the organization
2
Evaluate the legal basis for processing this data
3
Update or establish internal data protection policies
4
Implement technical and organizational measures to ensure data protection
5
Ensure the rights of data subjects are upheld
6
Assess data protection impact for high-risk data processing
7
Establish process for notifying data breaches
8
Designate a Data Protection Officer
9
Approval: Data Protection Officer designation
10
Ensure data transfers outside EU are lawful
11
Educate and train staff on data protection and GDPR
12
Implement encryption and pseudonymization techniques to secure personal data
13
Establish procedures for regular testing and evaluation of data protection measures
14
Approval: Evaluation of data protection measures
15
Setup policy for Data Subject Access Requests
16
Create and maintain a Record of Processing Activities
17
Ensure contracts with data processors are GDPR-compliant
18
Implement secure protocols for data deletion and archiving
Identify and map all personal data processed by the organization
This task involves identifying and mapping all personal data that is processed by the organization. It is important to have a clear understanding of what personal data is being collected, how it is being used, and where it is stored. The goal is to create a comprehensive inventory of personal data to ensure compliance with GDPR regulations. This task may require reviewing existing data protection policies, conducting interviews with relevant personnel, and analyzing data processing activities. Resources or tools that may be helpful include data flow diagrams, data mapping templates, and data inventory spreadsheets.
Evaluate the legal basis for processing this data
In order to comply with GDPR, it is essential to evaluate the legal basis for processing personal data. The legal basis determines whether the processing of personal data is lawful and justified. This task involves assessing the organization's legal grounds for processing personal data, such as consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests. Considerations may include reviewing privacy policies, consent forms, contracts, or other relevant documents. If relying on consent, ensure that it meets the GDPR requirements. If relying on legitimate interests, conduct a Legitimate Interest Assessment (LIA) to ensure compliance. Resources or tools that may be helpful include templates for LIAs, consent forms, and legal guidance.
1
Consent
2
Contractual necessity
3
Legal obligation
4
Vital interests
5
Public interest
6
Legitimate interests
Update or establish internal data protection policies
To ensure GDPR compliance, it is important to have clear and up-to-date internal data protection policies. This task involves reviewing existing policies and updating them to align with GDPR requirements, or creating new policies if they do not already exist. The policies should cover key areas such as data minimization, data subject rights, data retention, security measures, breach notification, and data transfer. Considerations may include involving stakeholders from different departments, such as legal, IT, HR, and marketing, to ensure a comprehensive and cross-functional approach. Resources or tools that may be helpful include templates for data protection policies, privacy impact assessments, and legal guidance.
1
Update existing policies
2
Establish new policies
Implement technical and organizational measures to ensure data protection
This task involves implementing technical and organizational measures to ensure the protection of personal data. GDPR requires organizations to have appropriate safeguards in place to prevent unauthorized access, loss, or destruction of personal data. This may include implementing access controls, encryption, pseudonymization, regular security updates, and conducting security audits. Considerations may include evaluating existing security measures and identifying gaps or areas for improvement. It is also important to document and maintain a record of the implemented measures. Resources or tools that may be helpful include security frameworks, encryption software, vulnerability scanners, and security policies.
1
Access controls
2
Encryption
3
Pseudonymization
4
Regular security updates
5
Security audits
Ensure the rights of data subjects are upheld
To comply with GDPR, it is important to ensure that the rights of data subjects are upheld. This task involves implementing processes and procedures to respond to data subject requests, such as requests for access, rectification, erasure, restriction, data portability, or objection. It is important to have a clear and efficient process in place to handle these requests within the required timeframe. Considerations may include updating privacy policies, creating data subject request forms, training staff on their responsibilities, and establishing communication channels with data subjects. Resources or tools that may be helpful include templates for data subject request forms, privacy notices, and data subject request management systems.
1
Process for handling access requests
2
Process for handling rectification requests
3
Process for handling erasure requests
4
Process for handling restriction requests
5
Process for handling data portability requests
Assess data protection impact for high-risk data processing
This task involves assessing the data protection impact for high-risk data processing activities. GDPR requires organizations to conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risks to the rights and freedoms of data subjects. This includes processing activities involving systematic monitoring, large-scale processing of special categories of personal data, or processing of personal data on a large scale. Considerations may include evaluating the necessity and proportionality of the processing activities, conducting risk assessments, and involving data protection officers or legal experts. Resources or tools that may be helpful include DPIA templates, risk assessment frameworks, and legal guidance.
1
Systematic monitoring
2
Large-scale processing of special categories of personal data
3
Processing of personal data on a large scale
Establish process for notifying data breaches
To comply with GDPR, it is important to establish a process for notifying data breaches. This task involves creating a clear and efficient process for identifying, analyzing, and reporting data breaches to the relevant supervisory authority and affected data subjects. This may include establishing a breach response team, creating a breach notification template, and conducting regular trainings and simulations to ensure preparedness. Considerations may include understanding the GDPR requirements for breach notification, assessing the potential impact of a breach, and evaluating the organization's ability to detect and respond to breaches. Resources or tools that may be helpful include breach response plans, breach notification templates, and legal guidance.
1
Yes
2
No
Designate a Data Protection Officer
Under GDPR, some organizations are required to designate a Data Protection Officer (DPO) to oversee data protection activities. This task involves designating a qualified individual as the DPO or identifying an external DPO service provider. The DPO should have expertise in data protection laws and practices, be independent, and report directly to senior management. Considerations may include evaluating the organization's size, structure, and data processing activities to determine whether a DPO is required. If a DPO is required, ensure that the person or service provider is adequately trained and resources are allocated for the role. Resources or tools that may be helpful include DPO role descriptions, training programs, and external DPO services.
1
Yes
2
No
Approval: Data Protection Officer designation
Will be submitted for approval:
Designate a Data Protection Officer
Will be submitted
Ensure data transfers outside EU are lawful
To comply with GDPR, it is important to ensure that data transfers outside the European Union (EU) are lawful. This task involves assessing the destination country's data protection laws and implementing appropriate safeguards to ensure the protection of personal data. This may include using standard contractual clauses, obtaining explicit consent from data subjects, or ensuring that the destination country provides an adequate level of data protection. Considerations may include evaluating the necessity and proportionality of the data transfers, documenting the legal basis for the transfers, and reviewing data transfer agreements or contracts. Resources or tools that may be helpful include data transfer impact assessment templates, legal guidance, and standard contractual clauses.
1
Yes
2
No
Educate and train staff on data protection and GDPR
To ensure GDPR compliance, it is important to educate and train staff on data protection principles and GDPR requirements. This task involves developing and implementing training programs to raise awareness and build skills among staff members. The training should cover topics such as the principles of data protection, data subject rights, data breach response, and the organization's policies and procedures. Considerations may include identifying training needs, developing training materials, conducting training sessions, and evaluating the effectiveness of the training programs. Resources or tools that may be helpful include training modules, e-learning platforms, and assessment tools.
1
Yes
2
No
Implement encryption and pseudonymization techniques to secure personal data
To ensure the security of personal data, it is important to implement encryption and pseudonymization techniques. This task involves assessing the organization's data processing activities and identifying opportunities for implementing encryption and pseudonymization to protect personal data from unauthorized access or disclosure. Encryption involves converting data into a coded form that can only be deciphered with a decryption key. Pseudonymization involves replacing or removing personal identifiers from data to make it more difficult to link to an individual. Considerations may include evaluating the effectiveness and practicality of encryption and pseudonymization techniques, implementing encryption software or tools, and updating data processing procedures. Resources or tools that may be helpful include encryption algorithms, pseudonymization methods, and encryption software.
1
Database storage
2
Cloud storage
3
Email communication
4
File sharing
5
Data backups
Establish procedures for regular testing and evaluation of data protection measures
To ensure the effectiveness of data protection measures, it is important to establish procedures for regular testing and evaluation. This task involves developing and implementing a plan for ongoing monitoring, testing, and evaluation of data protection measures to identify vulnerabilities or weaknesses. The plan should include regular audits, vulnerability assessments, penetration testing, and incident response simulations. Considerations may include assigning responsibilities for testing and evaluation, allocating resources for testing activities, and documenting the results and actions taken. Resources or tools that may be helpful include testing frameworks, vulnerability scanners, incident response plans, and reporting templates.
1
Regular audits
2
Vulnerability assessments
3
Penetration testing
4
Incident response simulations
5
Staff training
Approval: Evaluation of data protection measures
Will be submitted for approval:
Implement technical and organizational measures to ensure data protection
Will be submitted
Establish procedures for regular testing and evaluation of data protection measures
Will be submitted
Setup policy for Data Subject Access Requests
To comply with GDPR, it is important to have a policy in place for handling Data Subject Access Requests (DSARs). This task involves developing and implementing a clear and efficient policy for responding to DSARs within the required timeframe. The policy should include procedures for verifying the identity of the data subject, retrieving and providing the requested information, and ensuring that any third-party personal data is redacted or removed. Considerations may include creating DSAR request forms, training staff on the policy and procedures, and establishing communication channels with data subjects. Resources or tools that may be helpful include DSAR policy templates, DSAR request forms, and data subject request management systems.
1
Yes
2
No
Create and maintain a Record of Processing Activities
To comply with GDPR, it is important to create and maintain a Record of Processing Activities (ROPA). This task involves documenting the organization's data processing activities, including the purposes of processing, categories of personal data, recipients of personal data, and data transfers. The ROPA should provide an overview of the organization's data processing practices and serve as a reference for data protection authorities and data subjects. Considerations may include establishing a central repository or database for the ROPA, updating the ROPA regularly, and ensuring that it is accessible to relevant personnel. Resources or tools that may be helpful include ROPA templates, data mapping tools, and data inventory spreadsheets.
1
Yes
2
No
Ensure contracts with data processors are GDPR-compliant
To comply with GDPR, it is important to ensure that contracts with data processors are GDPR-compliant. This task involves reviewing existing contracts with data processors, such as cloud service providers, IT support companies, or marketing agencies, and updating them to include the necessary GDPR provisions. The contract should clearly define the responsibilities of the data processor, data controller, and any subprocessors, and include clauses related to data security, data transfers, data breach notification, and data subject rights. Considerations may include involving legal experts in contract review, negotiating contract terms with data processors, and maintaining a record of contracts. Resources or tools that may be helpful include GDPR-compliant contract templates, legal guidance, and contract management systems.
1
Yes
2
No
Implement secure protocols for data deletion and archiving
To ensure GDPR compliance, it is important to implement secure protocols for data deletion and archiving. This task involves developing and implementing procedures for securely deleting or anonymizing personal data when it is no longer needed for the specified purposes. The procedures should cover data stored in different formats and locations, such as databases, file systems, backups, or paper records. Considerations may include evaluating the organization's data retention policies, implementing technical measures for secure deletion, training staff on the procedures, and documenting the data deletion and archiving processes. Resources or tools that may be helpful include data retention and disposal policies, data deletion software, and data archiving systems.