|GDPR article||Objective||Compliance requirements|
|Article 25: Data protection by design and by default||Organisational accountability and privacy by design as a business culture.||Review access controls and privileges, notices and consent processes.|
|Article 30: Records of categories of personal data processing activities||Implementation of technical and organisational measures to properly process personal data.||Create asset register of personal data types and sensitive files: map where it’s stored, why it’s stored and for how long. Understand who has access to personal data, monitor that access and know when data can and should be deleted.|
|Article 17: Right to erasure||Automated search and removal of specific personal data.||Ensure ability to handle data subject requests, find personal data records, flag them and remove them.|
|Article 32: Security of processing||Accountability of data owners and maintenance of successful policies and processes.||Automate and impose least privileges through entitlement reviews and pro-actively enforced ethical walls. Review state of the art technology and ensure data security is sufficient to counter risks.|
|Article 33: Notification of personal data breach to the supervisory authority||Implementation of data breach activity alerts and an incidence response plan.||Detect abnormal data breach activity and policy violations and have a real-time alert. Record breaches and report to supervisory authority when required.|
|Article 35: Data protection impact assessment||Understanding of data protection risk profiles, especially sensitive data and large-volume processing.||Conduct regular quantified data protection impact assessments.|
What must I do?
There are a number of structured approaches to becoming GDPR compliant. With the table below, we have broken out some specific articles, so that you can zero in on them specifically to understand exactly what you need to do to comply.
Immediate quick wins
Right away we suggest you focus on the following:
- Data mapping and classification – Know where personal data is kept in your system’s documents, presentations, spreadsheets and databases. This is critical for protecting the data. It’s also necessary to follow through on data subject requests and to ensure you have the required data sharing agreements in place.
- Metadata – Make sure you’re tagging personal data(when it was collected and for what purpose), so you can demonstrate compliance with data minimisation and retention requirements.
- Governance – Immediately focus on data governance basics such as who is accessing personal data in the filing systems and who should be authorised to access it. Consider implementing role-based access controls. Make sure your organisational policies have been created and that your staff understand them.
- Monitoring – IT security requires constant monitoring. Implement systems to spot unusual access patterns of files containing personal data, and processes to record and report these to the local supervisory authority.