Asia
Select regional store:

The key steps to GDPR compliance

The ability to prove EU General Data Protection Regulation (GDPR) compliance is critical, and a comprehensive and effective privacy compliance framework (PCF) will develop evidence to support your compliance claims.

In some cases, the below GDPR compliance steps will supplement existing measures that many organisations adopt to comply with national laws in Asia Pacific, including The Privacy Act 1988 (Australia), the Personal Data Protection Act (Singapore), the Personal Data (Privacy) Ordinance (Hong Kong) and the Cybersecurity Law (China).

This checklist highlights the essential steps you need to take to demonstrate compliance, and recommends solutions.

Unsure where to start with GDPR compliance?

If you’re looking for help with your GDPR compliance efforts and aren’t sure where to start, get in touch with our GDPR experts who can advise you on which of our products and services are best suited to your needs.

Speak to an expert

 

1. Establish an accountability and governance framework

GDPR compliance requires board-level support. It’s therefore essential that the board understands the implications of the Regulation – both positive and negative – so that they can allocate the resources needed to achieve and maintain compliance.

What you need to do

  • Advise the board about data protection risks and the benefits of GDPR compliance.
  • Obtain management support for your GDPR compliance project.
  • Assign accountability for GDPR compliance to a director.

How we can help you

  • EU GDPR – A Pocket Guide
    This concise guide is essential reading for anyone wanting an overview of the GDPR and the new compliance obligations for handling personal data.

    Shop now

 

 

2. Scope and plan your project

Once you have obtained top-level support, you will need to work out what areas of your organization fall under the GDPR’s scope, and consider which existing approaches might be affected or could help your compliance efforts.

What you need to do

  • Appoint and train a project manager, and appoint a data protection officer (DPO) if necessary
  • Identify standards that could provide a framework to help you establish your compliance priorities:
    • The international information security standard, ISO 27001 can help you apply data security best practice, which helps you meet requirements for appropriate technical and organisational security measures of the GDPR (Article 32).
    • Other standards such as ISO 27701 or BS 10012, which were developed to enable compliance with key privacy laws, provide the specifications for implementing a privacy management system (PIMS).
  • Assess the principle of data protection by design and by default against current or new processes and systems
  • Consider Brexit implications in your planning

How we can help you

 

3. Conduct a data inventory and data flow audit

It's impossible to comply with the GDPR's data processing requirements if you don't fully understand what data you process and how you process it.

What you need to do

  • Assess the categories of data held, where it comes from and the lawful basis for your processing.
  • Map data flows into, within and from your organisation.
  • Use the data map to identify the risks in your data processing activities and whether a data protection impact assessment (DPIA) is needed.

How we can help you

  • Data Flow Mapping Tool
    Simplify the process of creating data flow maps and gain a thorough understanding of the personal data your organisation processes.

    Shop now

  • GDPR data flow audit
    Receive, through an on-site audit, an inventory of the types of personal data collected and processed in your organisation, and a data flow map.

     Enquire now

 

4. Conduct a detailed gap analysis

The sensible approach to compliance is to establish what you don’t already do – assess your current workflows, processes and procedures – to identify the gaps that you need to fill.

What you need to do

  • Audit your current compliance position against the GDPR’s requirements
  • Identify compliance gaps requiring remediation

How we can help you

  • EU GDPR Compliance Gap Assessment Tool
    This questionnaire-driven tool helps you assess your organisation’s compliance position and identify the gaps for remediation.

    Shop now

  • GDPR Gap Analysis
    Get an on-site assessment of your organization’s privacy management and data protection practices, and a report summarizing compliance gaps and remediation recommendations.

    Book now

 

5. Develop operational policies, procedures and processes

Our data protection consultants will provide an on-site assessment of your privacy management and data processing practices, and produce a report summarising your compliance gaps and providing remediation recommendations.

What you need to do

  • Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis.
  • Bring data protection policies and privacy notices in line with the GDPR.
  • Where relying on consent, ensure quality of consent meets new requirements.
  • Review and update employee, customer and supplier contracts.
  • Plan how to recognise and handle data access requests and provide responses within a month.
  • Have in place a process for determining whether a DPIA is required.
  • Secure personal data through appropriate procedural and technical measures.
  • Ensure policies and procedures are in place to detect, report and investigate a personal data breach.
  • Review whether the mechanisms for data transfers outside the EU are compliant.

How we can help you

  • GDPR Documentation Toolkit
    A complete set of easy-to-use and customisable documentation templates, worksheets and policies to document compliance with the GDPR.

    Shop now

 

6. Secure personal data through procedural and technical measures

Article 32 of the GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure that personal data is processed appropriately.

What you need to do

  • Have an information security policy in place.
  • Implement basic technical controls such as those specified by established frameworks like Cyber Essentials.
  • Use encryption and/or pseudonymisation where appropriate.
  • Ensure policies and procedures are in place to detect, report and investigate personal data breaches.

How we can help you

  • Cyber Essentials
    Cyber Essentials is a world-leading, cost-effective assurance mechanism for companies to demonstrate their use of important basic cyber security controls.

    Find out more

  • Penetration testing
    Let our experts put your defences to the test - stay ahead of criminal hackers with IT Governance’s affordable penetration testing solutions.

    Shop now

 

7. Monitor and audit compliance

GDPR compliance is an ongoing project – a journey rather than a destination. You should undertake periodic internal audits and update your data protection processes, including checking your records of processing activities and consent, testing information security controls, and conducting DPIAs.

What you need to do

  • Schedule regular audits of data processing activities and security controls.
  • Keep records of personal data processing up to date.
  • Undertake DPIAs where required.

How we can help you


How IT Governance can help you comply with the EU GDPR

IT Governance, a leading global provider of IT governance, risk management and compliance solutions, is at the forefront of helping organisations address the challenges of EU GDPR compliance.

This website uses cookies. View our cookie policy