10 Steps to Achieving GDPR Compliance

Posted by

Matt Green

on 10 Jun 2022

The GDPR came into effect in May 2018 with the aim of unifying and strengthening data protection for individuals within the European Union (EU).

10 Steps to Achieving GDPR Compliance

The introduction of the GDPR brought tougher sanctions, more rights for individuals, and a wider territorial scope, meaning that any non-EU organisation that does business in the EU is obliged to comply.

Since its introduction, there have been some hefty fines issued which indicate the need for GDPR training courses. Another notable change the GDPR has brought is that the appointment of a Data Protection Officer (DPO) is mandatory for organisations that are public authorities or bodies.

GDPR Compliance Roadmap

The need for guidance on GDPR compliance

Despite the GDPR being in effect for four years, many companies are not GDPR compliant. A recent study indicates that nearly three-quarters of UK companies don’t follow GDPR data request requirements and about a third of EU companies are not GDPR compliant.

Previously, under the Data Protection Act (DPA), failure to comply with data protection rules could lead to firms being fined a maximum of £500,000, with the highest to date being around £400,000. However, with the GDPR, penalties are much tougher and will result in firms potentially being fined 4% of their annual global turnover or EUR 20 million, whichever is the highest.

Top tips for GDPR compliance

  1. Get the tone from the top right
  2. Appoint a Data Protection Officer
  3. Be proactive & aim for data protection by design
  4. Measure and mitigate the risk
  5. Know where your data is & get familiar with data sources
  6. Categorise your data
  7. Have detailed plans in place in case it goes wrong
  8. Review your privacy policy
  9. Educate your staff
  10. Determine if your data can be deleted
    Free GDPR Self-assessment Questionnaire

1. Get the tone from the top right

Consider holding events and roadshows, creating resources, or organising presentations by the CEO and board to create awareness and demonstrate your commitment to data protection at the highest level. If it matters to you, then it will matter to everyone else across the organisation.

2. Appoint a Data Protection Officer

This applies if you have over 250 employees in your company. They will act as the main go-to person for all data protection activities within your firm.

3. Be proactive & aim for data protection by design

Think about how you might integrate data protection into all your processes so data protection and privacy issues are prioritised. Carry out and document Data Protection Impact Assessments (DPIAs) or Privacy Impact Assessments (PIAs) to strengthen protections for individuals.

4. Measure and mitigate the risk

As a board, be sure to spend time discussing your cybersecurity and information security issues. What is your risk profile, your attitude to different risks, and your appetite in respect of data breaches?

Are cybersecurity and information security issues included in your risk register? Are there named risk owners and specialist teams to track and manage the risk? What role do Audit and Compliance play now and how will this change in future?

5. Know where your data is & get familiar with data sources

It is impossible to comply with data protection rules if you don't know what data you hold and where it is, so having visibility of your data at all times and knowing what it consists of is crucial.

6. Categorise your data

Even though all of your data certainly does have relevance and importance, some data will be more significant than others. Categorising your data according to its value within your company will help to reduce the risk of security breaches.

7. Have detailed plans in place in case it goes wrong.

Get your business ready for any possible negative situations. This means having detailed plans and costs in place that can be consulted in the event of such outcomes.

8. Review your privacy policy

GDPR guidance states this must be written in plain English so it could be that your privacy policies need to be revised and re-written.

9. Educate your staff

Train your employees up and make sure they understand what the GDPR means for them. It is important to ensure that all employees are on the same page to avoid unintential GDPR breaches.

10. Determine if data can be deleted

Under the GDPR, all customers have a "right to be forgotten". Any individual can request their details be deleted. Unless you require these details for tax purposes, you are obliged to delete them from all systems. It is important to ensure that you have the ability to do this in a timely manner.

GDPR Fundamental RIghts Poster

Want to learn more about GDPR?

To help you plan and execute compliance in your organisation, we have created a comprehensive GDPR roadmap.

Our best-selling Compliance Essentials Library and award-winning LMS provide a one-stop compliance training solution, including GDPR compliance e-learning

And our searchable GDPR compliance glossary explains key terms and regularly report on learnings from the largest compliance fines resulting from regulatory breaches.

We also have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.

Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.

If you've any questions or concerns about compliance or e-learning, please get in touch.

We're happy to help!

Compliance Essentials

Compliance Essentials Library is our best-selling comprehensive corporate training solution.

100+ e-learning and microlearning courses that help companies from SMEs to multinationals achieve compliance success.

Start a Free Trial