GDPR Compliance Roadmap

The processing of personal data is regulated in the EU by the General Data Protection Regulation (GDPR).

In the UK, the Data Protection Act 2018 enshrined a version of the EU GDPR into the UK law, now called the UK GDPR.

It is likely the most complex regulation your staff face at work, and the financial penalties for breaches are ruinous.

Companies face fines of up to 4% of global annual turnover, up to a maximum of €20 million.

So it is critical to educate and support your staff fully to comply with this regime.

Chevron Skillcast chevron graphic
GDPR Compliance Roadmap

Achieving GDPR Compliance

The GDPR affects every organisation and every employee who processes personal data.

Processing includes everything from collecting and recording the data to its organisation, structuring, storage, alterations, retrieval, consultation, use, disclosure, dissemination, and erasure.

So everyone in your company who manages teams processes payroll, or works in marketing, sales, customer service, IT support and practically any function that requires dealing with people will need to know about the GDPR.

GDPR Compliance Roadmap

The GDPR is one of the most detailed regulations, with rules covering every aspect of data processing.

To comply, you need to ensure that your staff are aware of your legal basis for data processing, rights of your data subjects, including access requests, your technical security measures, etc.

Proper consent for data collection must be obtained if that is your legal basis. Data Subject Access Requests must be dealt with promptly and personal data retained no longer than necessary.

You may have implemented some one-off measures such as preparing the policies and training your staff. However, to fully comply and protect your company against costly breaches, you should consider a comprehensive set of ongoing measures to prepare and support your employees. 

In the UK, the Information Commissioner's Office (ICO) has provided checklists for data controllers and processors that should be the basis for your  GDPR compliance roadmap. In general, you should consider the following steps to maintain your GDPR readiness:

  • Step 1: Prepare data protection policies and procedures and ensure they are communicated to and attested to by employees and relevant sub-processors. 
  • Step 2: Train your employees on the GDPR rules and how they apply to your company and their roles.
  • Step 3: Keep records of data processing activities for GDPR Article 30 compliance.
  • Step 4: Offer an easily accessible breach register for your staff to report any actual or suspected breaches or near misses.
  • Step 5: Obtain compliance declarations from your third-party sub-processors to ensure that your supply chain is aligned with your internal data protection standards.
  • Step 6: Conduct anonymous staff surveys to uncover deficiencies in your internal controls and external threats to continuously improve your data protection policies and procedures.

Policy Attestations

Compliance with the GDPR and the DPA starts with good corporate policies covering all aspects of data processing and information security - everything from data collection and retention periods to access control and the use of passwords.

But the policies don't work unless you ensure that they are communicated to all staff and new hires promptly after joining your company. Ideally, you should seek all affected employees to affirm that they understand and agree to abide by these policies and associated systems and procedures.

With Skillcast's online Policy Hub, our employees can regularly review and attest all the relevant policies in a timely and efficient manner, and you can evidence to regulators and authorities when required.

Policy Hub

GDPR Training

Adopting the policies is the first step, but effectively communicating them to your employees secures the required behavioural change.

Your staff need to understand your rules for processing and protecting personal data.

Skillcast offers a range of data protection courses to educate your staff and experts:

Compliance Essentials E-learning Courses

Data Breach Registers

Your company must report certain personal data breaches to The Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. You must also record any personal data breaches, regardless of whether or not its severity warrants notifying the ICO.

GDPR breach fines from the ICO can reach up to £8 million or 2% of global turnover if the breach is not reported within the allowable time.

Organisations must have a robust breach-reporting process to detect and notify breaches on time and provide necessary details.

With a Skillcast Compliance Register, you can run this workflow efficiently and analyse the data over time to ensure compliance with the requirements of the GDPR.

Third-party Due Diligence

You may need third parties to complete disclosures or declarations regarding compliance with the GDPR and DPA.

Using email of paper-based processes is slow, inefficient and creates unnecessary duplication.

Using the Skillcast online Compliance Declarations will help you to streamline the collection, analysis and management of due diligence for associated persons outside your organisation.

Staff Surveys

Your employees and managers are your first line of defence against data breaches, and their knowledge about the effectiveness of your data protection and compliance procedures is crucial.

Conducting periodic staff surveys can tell you much about your data protection risks and deficiencies in training, procedures, record-keeping and any lack of clear policies and procedures. To maximise the utility of such surveys, you need to make them anonymous so that your employees can speak freely about sensitive topics.

The Skillcast Compliance Survey Tool can help you conduct robust, anonymous staff surveys that ensure the widest coverage and enable employees to give feedback to you in confidence.

Free GDPR Resources

We have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules.

GDPR Training Presentation

Ensure your staff know everything they need to about GDPR with this free, customisable training presentation.

Free GDPR Training Presentation

GDPR Self-assessment Questionnaire

Benchmark your existing processes and identify any missing GDPR procedures and controls with our questionnaire.

Free GDPR Self-assessment Questionnaire

GDPR Personal Data Awareness Aid

Help your staff fully understand what constitutes personal data and how to protect it with our poster.

Free GDPR Personal Data Awareness Poster

GDPR Fundamental Rights Awareness Aid

Highlight the fundamental rights covered by GDPR to your employees with some key statistics.

Free GDPR Fundamental Rights Poster

Best Practices in Data Protection

If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.

Top 10 Frequently Asked Questions About GDPR

Whistle-stop answers to the who, how, what, where and when of GDPR.

Answers to 10 GDPR FAQs

Conducting a GDPR Compliance Audit

An audit of your GDPR procedures and controls will allow you to benchmark your existing activities and remedy any gaps to ensure regulatory compliance.

Conducting a GDPR Audit

How will Brexit affect GDPR?

Now that the UK has left the European Union, what will the implications be for the GDPR? Will anything change? We answer your most frequently asked questions.

How will Brexit affect GDPR?

Data Subject Acess Request Fees

Under GDPR, the way to deal with data subject access requests changed. How can you manage them effectively while remaining compliant?

How to Manage Data Subject Requests

GDPR & Age of Consent

Corruption affects all countries, rich and poor. It causes instability, inequality, and poverty, eroding national wealth. So what can you do to reduce the risk in your company?

About Age of Consent

Legal Basis for Data Processing under GDPR

There are six legal bases for processing as set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data.

Six Legal Bases for Processing Data

GDPR Compliance Tips when Sharing Data

Before you transfer personal data to other organisations, especially outside the EEA, you need to stop to think about the GDPR implications.

GDPR Compliance Tips for Sharing Data

GDPR & Safeguarding Vulnerable Adults

This category and level of data held by companies on vulnerable data subjects may far exceed original expectations, which is why you need to assess its impact.

GDPR & Vulnerable Adults

Why you Need a Data Protection Officer

Corruption affects all countries, rich and poor. It causes instability, inequality, and poverty, eroding national wealth. So what can you do to reduce the risk in your company?

DPO Role & Responsibilities

How to Protect Health Data under GDPR

Health data security is in the spotlight, as public confidence has slumped after high profiles data breaches in the UK and rookie data processing errors.

GDPR & Protecting Health Data

Data Protection in Times of Disruption

GDPR compliance becomes more challenging than ever during times of disruption. To maintain data protection compliance, you will need to focus and prioritise.

Data Protection During Disruption

What Factors Affect GDPR Fines?

To help you understand how these factors are applied, we have assessed each area in the context of the now-infamous Facebook data breach.

Factors Affecting GDPR Fines

Chevron Skillcast chevron graphic
Compliance Bulletin
Newsletter

Compliance Bulletin

Our monthly email provides best practice, expert opinions, industry insights, news and key trends in regulatory compliance training, digital learning, EdTech and RegTech.