Scribd
Upload
148 views

9 Steps For Implementing GDPR

The document outlines the key steps for implementing the European General Data Protection Regulation (GDPR). It lists 9 key steps including preparing a project plan, defining personal data policies, creating an inventory of processing activities, managing data subject rights, implementing data protection impact assessments, securing personal data transfers, amending third-party contracts, ensuring data security, and defining how to handle data breaches. Following these steps will help organizations comply with GDPR requirements and avoid potential fines for non-compliance.

Uploaded by

Flávio
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
148 views

9 Steps For Implementing GDPR

The document outlines the key steps for implementing the European General Data Protection Regulation (GDPR). It lists 9 key steps including preparing a project plan, defining personal data policies, creating an inventory of processing activities, managing data subject rights, implementing data protection impact assessments, securing personal data transfers, amending third-party contracts, ensuring data security, and defining how to handle data breaches. Following these steps will help organizations comply with GDPR requirements and avoid potential fines for non-compliance.

Uploaded by

Flávio
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Implementation of the European General Data Protection Regulation (GDPR) can be complex and

challenging. As you implement, it is important to understand if your plan is going in the right direction
or not. Let us go through the key GDPR implementation steps that your project must include.
As the checklist is closely linked to GDPR requirements and principles, you can read these
articles: A summary of 10 key GDPR requirements and Understanding 6 key GDPR principles.
1) Prepare for your GDPR project.
 Create a project plan to implement GDPR.
 Include the right stakeholders in your GDPR project.
 Conduct a readiness assessment to find out what tasks you need to perform.
 See also:
o GDPR Readiness Assessment Tool
o GDPR Project Plan template
2) Define your Personal Data Policy and other top-level
documents.
 Create an internal Data Protection Policy for personal data.
 Create other top-level policies as needed – e.g., the Data Retention Policy.
 Create awareness among employees about key GDPR requirements.
 Make a decision with regard to the assignment of a Data Protection Officer, and make sure
the decision is documented.
 If required, appoint a Data Protection Officer and communicate their name to the Supervisory
Authority.
 See also: The role of the DPO in light of the General Data Protection Regulation
3) Create an inventory of processing activities.
 List your processing activities and how these map to legitimate purposes defined in GDPR.
 Be sure your company has published the necessary privacy notices for data subjects.

4) Define an approach to manage data subject rights.


 Implement data subject rights through establishing a legal basis for processing.
 Data subjects can provide consent and request access.
 Your company must keep a record of data subject rights requests.
 See also:
o Is consent needed? Six legal bases to process data according to GDPR
o EU GDPR Data Subject Access Request Flowchart
5) Implement a Data Protection Impact Assessment (DPIA).
 Conduct a DPIA when initiating a new project, or when implementing a change to your
information systems or a product.
 See also: Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR
6) Secure personal data transfers.
 Analyse what personal data is being transferred outside of your company, and when.
 Take necessary legal and security measures to adequately protect personal data when
personal data is transferred outside of the company.

7) Amend third-party contracts.


 Amend third-party contracts that include processing of personal data to become compliant
with the GDPR.

8) Ensure the security of personal and sensitive data.


 Implement the necessary organisational and technical measures to protect the personal data
of data subjects.
 Consider privacy and protection when designing new systems and processes.
 See also:
o How cybersecurity solutions can help with GDPR compliance
o Does ISO 27001 implementation satisfy EU GDPR requirements?
9) Define how to handle data breaches.
 Set up the processes to identify and handle personal data breaches.
 Prepare for notifications to the Supervisory Authority and data subjects, if required, in the
case of a personal data breach.
 See also: 5 steps to handle a data breach according to GDPR
Conclusion
Depending on the results of the readiness assessment you performed at the beginning of your
project, you might not need all the steps that are displayed here; however, if you have no privacy
protection in place, it is likely that you will have to perform all the mentioned steps.

In any case, make sure you have implemented all the relevant steps – otherwise, you might have to
pay some rather high fines for being non-compliant.

Download this free Checklist of Mandatory Documentation Required by EU GDPR and learn how to


structure each document according to the EU GDPR.

You might also like