Twelve Steps Towards GDPR Compliance

The Data Guardians - Twelve Steps Towards GDPR Compliance

The ICO recently Tweeted to remind organisations that they are accountable for the entire value chain of personal data. This starts with the collection process (and includes the information and transparency that is shown to data subjects), to the internal processing activities (ensuring that no additional processing activities take place as well as applying the appropriate technical and organisational measures), to ensuring that the third-parties that you share this data with, including Cloud providers, are also compliant.

So what is the ICO expecting of organisations in the new GDPR era? Their website says the following:

One of the biggest changes introduced by the GDPR is around accountability – a new data protection principle that says organisations are responsible for, and must be able to demonstrate, compliance with the other principles. Although these obligations were implicit in the Data Protection Act 1998 (1998 Act), the GDPR makes them explicit. You now need to be proactive about data protection, and evidence the steps you take to meet your obligations and protect people’s rights. Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and privacy by design, are now formally recognised and legally required in some circumstances.”

The checklist below has been developed by the ICO to help clearly define what organisations need to do to demonstrate their accountability and I have matched the services that my company The Data Guardians offers to help you to tick off every one of these points.


ICO Accountability Checklist


1. “We take responsibility for complying with the GDPR, at the highest management level and throughout our organisation.”

  • The Data Guardians can help you to develop your data protection policies and strategies. Also our software solution will show your data value chain pictorially which helps show where your data goes and so makes it easier to manage.


2. “We keep evidence of the steps we take to comply with the GDPR.”

  • The evidence you need to keep depends on your industry sector and size. The Data Guardians can advise you on this. Our software solution keeps everything in one place, making it easy to find.


3. “We adopt and implement data protection policies (where proportionate).”

  • Our consulting services can help you write and implement the appropriate policies and procedures.


4. “We take a ‘data protection by design and default’ approach – putting appropriate data protection measures in place throughout the entire lifecycle of our processing operations.”

  • A Data Protection Impact Assessment is a complex risk assessment tool that requires expertise to complete. Our consultants can help you with this to ensure data protection is baked into any new processing activity and / or new technology.


5. “We put written contracts in place with organisations that process personal data on our behalf.”

  • The Data Guardians can help review the contracts as well as conducting due diligence on third-parties to validate their compliance.


6. “We maintain documentation of our processing activities.”

  • Our software product has a data mapping module that not only provides you with the Records of Processing as demanded by Article 30, but also keeps all your documentation in one place making it easy to find.


7. “ We implement appropriate security measures.”

  • We can provide vulnerability assessments and penetration tests. We can also advise on the management systems required to manage the outcomes of such tests.


8. “We record and, where necessary, report personal data breaches.”

  • The Data Guardians can help you write a personal data breach plan. Our software product helps you to log any incidents as well as providing templates to inform data subjects and the Supervisory Authority. Through our partnerships we can provide crisis management and public relations services as well.


9. “We carry out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests.”

  • A Data Protection Impact Assessment is a complex risk assessment tool that requires expertise to complete. Our consultants can help you with this to ensure data protection is baked into any new processing activity and / or new technology.


10. “We appoint a data protection officer (where necessary).”

  • Our out-sourced DPO service provides a solution. Combined with the software services, we can provide a low cost alternative to either a full-time employee, or where a manager has had this additional responsibility foisted upon them without the necessary knowledge or training.


11. “We adhere to relevant codes of conduct and signing up to certification schemes (where possible).”

  • We offer the BSI Standard for data protection (BSI 10012) to demonstrate compliance to customers and suppliers alike.


12. “We review and update our accountability measures at appropriate intervals.”

  • The Data Guardians can help audit your current practices to ensure continued compliance.


The Data Guardians can help you tick off every one of the above checklist items through a combination of services that we provide. Get in touch now to see how we can help.

+44 7980 815761

Leave a reply

You must be logged in to post a comment.