EU’s General Data Protection Regulation (GDPR) takes an immediate effect on 25 May 2018. GDPR compliance for services is especially important due to the volume of personal data involved. This guide introduces 10 key points for GDPR compliance for services. Nevertheless, Information Commissioner’s Office can levy fines up to 4% of the global annual turnover or €20 mln, whichever is higher. Your company should be already taking the necessary steps and if you’re not this blog will give u better what to do next with a less than 2 weeks until the deadline. A right approach is to assess your firm’s current workflows, processes and procedures to identify the compliance gaps that you need to fill. Document your policies on data handling and create a structured plan in case of a data breach. You can also use GDPR Software tools to create data maps to monitor the
See also our Guide to Data Protection
GDPR Compliance For Services: 10 Key Points
Below is a checklist of ten essential areas of the GDPR compliance for services that you will need to review as part of your company’s compliance project.
- Rights of data subjects: you will need to respond probably to any data processing requests and enable data subjects to excercise their rights.
- GDPR project: how succesfuly your organisation tailed data privacy culture, GDPR training sessions to deliver realistic compliance objectives by 25 May 2018.
- Data protection governance: check data protection, policies, procedures and reporting mechanisms to monitor compliance are in place and operating in synchronised manner.
- Risk management: Do you have documented plan in case of data breach? To what extent Cyber Safety is priority in your orgnanisation? is privacy risk included in your corporate risk register? Do you monitor the flow of personal information within and outside your organissation? Which risks to the rights and freedoms of individuals are addressed?
- Data Protection Officer (DPO): identify the type of data your organisation is working with and decide wether DPO mandatory. Has one been appointed? Would the inidividual be able to oversee GDPR compliance in your organisation.
- Process analysis: Which of the GDPR principles are established for processing personal data? You have to always revise processes in place for data collection, minimisation and retention period according to the lawful basis.
- Roles and responsibilities: roles and responsibilities are well defined and established within your organisation, including necessary GDPR awareness training.
- Compliance capacity: The compliance capacity should be well defined consiering all data types being processed and deciding wether your company is data processor or controller, as well as the information flow within and outside your organisation. To determine the scope of compliance, you also need to identify all the databases that hold personal data, as well as any international data sharing and processing.
- Personal Information Management System (PIMS): You organisation must document compliance with GDPR by having data protection policy, data breach notifaction procedure (72 hours), subject access request forms for data subjects to excercie their reights, data protection impact assessment and consent forms. The PIMS in place should be appropriate to the size and complexity of your service firm.
- Information Security Management System (ISMS): the technical and organisational measures in place to ensure that there is an adequate security of personal data held in hard copy or electronic form, or processed through your systems. This includes a review of methodologies for testing security and established cyber security certifications, standards and codes of practice.
Our structured approach will help your GDPR compliance by prioritising your project and plan to improve each area within appropriate timeframes and budget. GDPR accredited training is at the forefront of helping organisations in Europe and globally to achieve GDPR awareness and address any compliance challenges. Our legal experts’ opinion and updated content will help your organisation to carry fresher and refresher sessional tailor GDPR ideology within your firm.
Get GDPR Ready with Apex
- City & Guilds Accredited eLearning
- Updated content
- Develops Data Safety knowledge
- Instantly available course
- Completed in 60 minutes
- Subject Access Request game
- Interviews with legal experts
- Interactive content
- Certificate for your CV