GDPR Compliance Checklist | Part 2 -Stay Compliant

Intro

Once you have implemented GDPR in your organisation with our GDPR compliance checklist for implementation, the focus shifts from setup to ongoing management.

GDPR requires your organisation to remain compliant at all times and to consistently demonstrate that compliance. It’s also in your best interest to ensure that personal data processing aligns with both GDPR requirements and the principles of Confidentiality, Integrity, and Availability (CIA).

If you haven't implemented the GDPR yet, you will be better off start reading our implementation checklist.

This article will guide you through the process of transitioning your GDPR project from implementation to part of your everyday business operations. 

Governance

To manage GDPR compliance effectively, your organisation needs a clear structure with well-defined ownership. Without this, initial efforts can lose steam, mainly when key staff move on, or external consultants finish their work, leaving the project in the hands of unprepared colleagues. A solid governance framework ensures that GDPR compliance remains active and doesn’t fade into the background.

Leadership

Responsibility for GDPR compliance should rest with a senior figure, such as a director or vice director - someone with the authority to ensure it remains a priority within the organisation. 

Regular updates on the organisation’s compliance status should be provided to senior management, including the board of directors. These reports should cover any deficiencies, risks, challenges, or proposed changes, enabling leadership to address issues on an organisational level.

While annual updates are minimal, reporting quarterly or biannually is better to keep compliance at the forefront. Without active leadership involvement, expecting the rest of the organisation to stay engaged with GDPR obligations is unrealistic.

Ensure that GDPR compliance remains a key responsibility for senior leadership.

GDPR Team

If you formed a project group to implement GDPR, it’s wise to keep that team in place as you move into the operational phase. The reasons for selecting key team members during implementation remain relevant now that GDPR compliance is part of your routine business activities.

Regular input from departments like IT and legal is a must, while HR’s insights will be invaluable when dealing with the day-to-day challenges of managing personal data.

This GDPR team should meet regularly, e.g. quarterly, or more frequently if needed, to ensure ongoing compliance and tackle any emerging issues.

Work closely with a cross-functional team to manage GDPR compliance and address complex tasks.

Process and System Owners

When implementing GDPR, you likely involved specialists from different teams across the organisation to help figure out how personal data was managed within specific processing activities and systems (process and system owners) and delegated the tasks to them. We recommend that you continue this delegation of tasks to ensure that GDPR compliance is maintained effectively across the organisation.

These process and system owners are responsible for keeping GDPR compliance current in their respective areas. Suppose changes in data handling occur or new challenges arise. In that case, they should address them directly, ideally with your guidance as the GDPR manager, since you have a broader view and can offer insights from similar situations across the organisation.

Assign and maintain responsibility for GDPR compliance to process and system owners, collaborating as needed.

GDPR Manager

The GDPR Manager oversees the day-to-day work involved in maintaining compliance. While they coordinate all GDPR-related tasks, they don’t need to handle everything personally. In smaller organisations, they might take on more hands-on duties, but ideally, responsibilities are shared across the organisation.

The GDPR Manager ensures regular reporting to leadership and the GDPR team, and that process and system owners stay on top of their tasks. They also provide support through training and guidelines to help staff manage personal data correctly within their areas.

Ultimately, the GDPR Manager must ensure the organisation’s GDPR documentation is always up to date and that personal data is handled in compliance with the regulation.

The GDPR Manager should oversee compliance efforts and manage daily tasks to ensure proper handling of personal data throughout the organisation.

Data Protection Officer (DPO)

During the implementation phase, your organisation may have appointed a Data Protection Officer (DPO).

The DPO works closely with the GDPR Manager, but their roles differ. While the GDPR Manager handles day-to-day operations, the DPO focuses on oversight and advisory duties.

The DPO’s main task is to monitor GDPR compliance, e.g. by checking that data processing activities align with the GDPR. They help manage Data Protection Impact Assessments (DPIAs), properly addressing risks. They also serve as the point of contact with the supervisory authority, managing communications in the event of data breaches or investigations by the data protection authority.

Unlike the GDPR Manager, who handles day-to-day tasks, the DPO is an independent advisor, reporting directly to senior management. They provide objective guidance, free from conflicts of interest, ensuring that leadership is informed of compliance risks. The DPO and GDPR Manager ensure that the organisation remains compliant operationally and strategically.

The DPO should regularly monitor GDPR compliance, advise on DPIAs, act as the primary contact for data subjects and authorities, and report any compliance risks to senior management.

GDPR Compliance Reporting

Preparing an annual GDPR compliance report for the board of directors is a good practice. This report should provide a clear overview of the organisation’s current compliance status, detailing processing activities, the state of information assets, and any significant updates.

In addition, the report should cover key areas such as data breaches, any organisational changes that might affect GDPR compliance, a brief on organisational GDPR risks, etc. Financial aspects could also be included, highlighting resources allocated, costs, investments, and time spent on GDPR-related tasks.

While this type of reporting isn’t always precise, it should provide senior management with a solid understanding of the organisation’s GDPR standing. 

Prepare an annual GDPR compliance report for the board, addressing processing activities, breaches, organisational changes, and resource allocation related to GDPR.

Data Protection Principles

A fundamental requirement of GDPR compliance is maintaining thorough documentation. Article 5(2) stipulates that organisations must be able to demonstrate that the data protection principles are being complied with, which means documenting all personal data processing activities.

This includes ensuring that each processing activity has a legal basis, establishing data processing agreements with third parties, and respecting data subjects' rights, such as the right to receive information about how their data is processed and access to that data. 

These requirements together form a comprehensive set of documentation obligations that your organisation must keep up to date.

Accurate and well-maintained records are important for demonstrating compliance and are critical if your organisation is ever audited or investigated.

Maintain detailed documentation of all data processing activities, legal bases, data processing agreements, etc., to demonstrate GDPR compliance.

The Records of Processing Activities (RoPA)

The Record of Processing Activities (RoPA) must be regularly updated to reflect the organisation’s current handling of personal data. To keep this accurate and up to date, you must establish two key routine tasks within the organisation.

Ad Hoc Updates

As the GDPR Manager, it is difficult to keep track of every change in how personal data is processed across the organisation. You can’t be aware of all the changes your colleagues are doing day-to-day in their processing of personal data. 

That’s why process and system owners must ensure any changes in how they handle personal data comply with GDPR requirements. Whether modifying an existing process, stopping one, or starting something new, these changes must be reflected in the RoPA.

Process and system owners should take the initiative to either update the RoPA themselves or inform you, as the GDPR Manager, who oversees these updates. This responsibility should ideally be part of their job descriptions; to support this, they need proper training in GDPR. This way, GDPR compliance becomes integrated into the organisation’s daily operations.

You should train process and system owners to update the RoPA or inform the GDPR Manager of changes. 

Recurring Updates

To ensure the RoPA stays current, you can take the lead by conducting biannual or annual reviews. This process involves asking all process and system owners to verify that the documentation for their respective areas is accurate and up to date.

Perform biannual or annual reviews of the RoPA by having process and system owners confirm the accuracy of their records.

Information Assets

As with changes in data processing activities, the information assets your organisation uses and how they are used may evolve over time. This is a natural part of any organisation's development. These changes must be reflected in your information asset inventory.

To maintain GDPR compliance, any modifications to information assets must align with GDPR requirements, risk assessments, and other relevant considerations.

Ensure updates to the information asset inventory reflect any changes and comply with GDPR requirements and risk assessments.

Risk Assessments

It’s important to ensure that your risk assessments remain accurate and up to date. Even if you haven’t changed how personal data is processed, shifts in the organisation’s environment can impact the risk landscape. For instance, the company may experience significant growth and hire new staff, impacting internal work processes and how data is handled within the organisation. Similarly, geopolitical changes could heighten the risk of cyberattacks.

You should, therefore, regularly update your risk assessments to reflect the current situation and ensure that the identified risks are properly managed. It might also happen that your risk appetite has changed, making you perceive risks as too high even though they objectively didn’t change.  

Once you have updated and verified your risk assessments, you should ensure that your security measures are still effective in mitigating risks to an acceptable level.

Regularly update risk assessments to reflect organisational changes and ensure security measures effectively mitigate identified risks.

Security Measures

Your organisation’s security measures must effectively manage the risks tied to personal data processing. This requires regularly reviewing these measures against your risk assessments to ensure they remain suitable and robust.

You may also want to consider introducing new security measures, especially if a contract with a security provider is nearing its end. This can be an ideal time to explore different or improved options that better suit your organisation's needs.

Regularly review and update security measures to ensure they continue to address risks related to personal data processing effectively.

GDPR Documents

Any guidelines, procedures, privacy policies, or related documents concerning personal data processing must be updated whenever there are changes in how data is handled. These updates should be made by the process and system owners responsible for the relevant tasks. As the GDPR Manager, you ensure these updates are accurate, usually through an annual audit.

Key documents that require regular updates include:

• Information security policy
• Privacy policy
• Data breach log
• Process descriptions and procedures

Ensure process and system owners update all guidelines, policies, and procedures related to personal data processing, with annual audits to verify accuracy.

The Data Subject Rights

The rights of data subjects must always be respected. Some rights, like the right to be informed, must be proactively upheld, while others are only exercised upon request.

Your colleagues should be trained to recognise how data subject rights should be respected, as customers may not always be aware of their rights or the specifics of GDPR. Even if they don’t use the exact legal terms, your organisation is still obligated to respond correctly.

All employees, particularly those in customer-facing roles, should be familiar with these rights. They must have clear guidelines on handling requests in practice and know the appropriate actions to take. Incorporating these responsibilities into standard operating procedures can help ensure a consistent and compliant approach.

Train staff, especially those in customer-facing roles, to recognise and respond to data subject rights requests in line with GDPR obligations.

Data Retention Policies

GDPR requires personal data to be kept only as long as necessary for its intended purpose, after which it should be securely deleted or anonymised. During your implementation of the GDPR, you identified these periods.

To make sure that your organisation complies with the requirements, you should create clear data retention policies, categorise information like employee records or newsletter signups, and assign retention periods. This way, you have a guideline for how long personal data should be kept and how to dispose of it. For example, employee data might be kept for years after someone leaves, while data on newsletter signups is retained only for the duration of their consent. 

These policies should be reviewed, e.g., annually, to ensure they align with business needs and legal requirements. 

When data reaches the end of its retention period, it should either be securely deleted or anonymised for further use, such as in research.

Create and review data retention schedules regularly, ensuring data is deleted or anonymised when no longer needed.

Compliance Management System

There are many recurring tasks and compliance documents to keep track of to stay GDPR compliant, so managing your compliance requires an organised system. You can create a customised solution to match your organisation’s needs or use dedicated GDPR compliance software.

Custom GDPR Compliance System (Excel)

Many organisations start by building their own GDPR compliance system, using tools like Excel, Word, shared folders, and email or chat for communication. 

This approach requires some practical know-how on the GDPR to get started but offers a high degree of flexibility because everything can be customised to your organisation’s needs. 

However, it can become challenging in larger organisations, or if you, the creator of the custom compliance system, leave the company, and a colleague will have to take it over. 

It can also be difficult to involve your colleagues in the compliance work, as they likely won't understand the setup and its intricacies as thoroughly as you do. Additionally, a custom-built system is more prone to errors, especially if there’s no logging of changes made to the system or the content your colleagues add.

With good in-house knowledge of GDPR and strong organisational skills, you can build your custom system for managing GDPR compliance at no cost other than your time. However, remember that time is money, both in developing the system and maintaining it as changes arise or if issues need fixing. 

Moreover, the ongoing GDPR work can become more time-consuming for you, as the person overseeing documentation and practical tasks, and for your colleagues, as a custom system can be difficult to navigate if they weren’t involved in its creation.

GDPR Compliance Software

If you don’t have the expertise to design your own GDPR system, then opting for GDPR compliance software is a good choice. 

There are many strong reasons to go down this route, and you should explore them further. These systems provide a mix of built-in GDPR know-how via their functionality and practical support through user-friendly interfaces. Additionally, they offer a platform for communication, as well as managing roles, permissions, and access rights. 

There’s much more to say on this topic, and it has been covered extensively in our series on GDPR compliance software, which you might find interesting to read: “Do You Really Need GDPR Compliance Software?”

Maintain a GDPR compliance management system, either custom-built or using GDPR compliance software, to effectively track tasks, documents, and ongoing GDPR requirements.

GDPR Compliance Audits

Audits can be carried out internally by a colleague or externally by consultants or a certification body to verify that your organisation is managing GDPR compliance effectively.

Not only do audits help demonstrate that your organisation is GDPR compliant, but they also ensure you meet a key requirement of the regulation, which is proving compliance. If any gaps are identified during an audit, it’s an opportunity to address them and bring your organisation back in line with the GDPR.

Conduct regular internal or external audits to verify GDPR compliance and promptly resolve any gaps identified.

Internal Audits

An internal audit is a valuable tool for an organisation, especially for leadership, to ensure that GDPR compliance is on the right track. This audit can provide senior management and the board of directors with a clear assessment of whether the organisation meets its GDPR obligations, acting as a "health check" for compliance.

Internal audits can be conducted annually or more frequently if needed, depending on what the organisation decides.

While the GDPR Coordinator, who handles the day-to-day compliance tasks, could carry out the audit, there is a risk of bias. To reduce this, the audit can be performed with oversight from a colleague who reviews and approves the audit.

In organisations with a Data Protection Officer (DPO), the DPO should ideally lead the audit, as one of their key responsibilities, according to the GDPR rules, is to monitor GDPR compliance.

Internal audits can be conducted in various ways. You don’t necessarily need to examine everything in detail; instead, you can perform spot checks, but your chosen approach should align with the purpose of the audit. Below is an example of a process you can follow:

Planning Phase

1. The first step is to define the scope and objectives of the audit
2. Develop the audit program and outline procedures
3. Share the timeline, key deliverables, and set expectations

Fieldwork and Documentation Phase

1. Collect relevant data
2. Analyse and document the organisation’s processes
3. Record findings from assessments or tests

Reporting Phase

1. Highlight strengths and areas for improvement
2. Present audit findings to management
3. Compile the final report and conduct an exit meeting

The internal audit may highlight areas that need adjustments, or it could confirm that the current practices are effective and should be continued. The final step is to get management’s approval on the organisation’s GDPR compliance strategy moving forward.

External Audit and Certification

An external audit carries more weight with your organisation’s stakeholders, and if this is important for your business or perhaps a legal requirement, then it’s advisable to undertake one.

While an external audit serves the same purpose as an internal one, it is unbiased, offering an impartial view of your GDPR compliance. It can also be more practical to hire external auditors if internal staff lack the capacity or expertise to conduct the audit themselves.

More and more organisations are seeking certifications to confirm their compliance, either to meet stakeholder expectations or because they are required by law or industry standards.

Although GDPR-specific certifications are still rare, many companies pursue ISO 27001 certification in information security or an ISAE 3000 statement. This demonstrates a commitment to managing data securely and following best practices for identifying and addressing information security risks.

Achieving ISO 27001 certification conveys that your organisation takes information security seriously. This not only builds trust with potential partners and customers but also reduces the due diligence needed when others are selecting you as a supplier or data processor.

GDPR Awareness Training

Employees can’t manage data effectively if they don’t know what qualifies as personal data, where it’s stored, or how it’s processed. This is one of the fundamental challenges that must be addressed through training to ensure compliance in handling personal data, such as customer information.

Expecting employees to manage data correctly without clear guidance is unrealistic. They need to be taught how to handle personal data within the context of their specific tasks and the digital tools they use daily.

To address this, you should implement a structured training programme that educates all staff on GDPR and the correct handling of personal data.

Provide regular GDPR training for all employees, including role-specific and onboarding sessions, and document the result of the training to ensure compliance.

Data Breach Response

Your organisation must always be prepared to identify and respond to potential data breaches involving personal data, as the risk is ongoing.

Breaches can happen due to human error, system vulnerabilities, or malicious attacks. To prevent and detect these incidents, your organisation must have effective technical and organisational measures, as GDPR requires.

Your colleagues play an important role in spotting breaches, particularly those caused by their mistakes or anything they notice within the organisation. The IT department also has a key role in detecting breaches using tools like Intrusion Detection Systems.

When a data breach does occur, you need to be ready to act swiftly to minimise any negative consequences. If the breach involves personal data, you must follow GDPR’s requirements for reporting and managing the incident.

Ensure systems and staff are prepared to detect, report, and mitigate data breaches involving personal data in line with GDPR.

GDPR and Data Breach Requirements

Under GDPR, if a personal data breach is likely to negatively impact individuals, it must be reported to the supervisory authority. Since most incidents affect individuals, the threshold for reporting breaches is quite low, meaning nearly all data breaches must be reported.

Additionally, these breaches must be communicated to the affected individuals, allowing them to take any necessary precautions.

Even smaller incidents that don't need to be reported to authorities must be logged internally to comply with the GDPR.

Report data breaches to authorities and affected individuals, log all breaches internally, and comply with GDPR’s low reporting threshold.

Data Breach Procedures

Facing a data breach without a clear plan is unacceptable. You must have established procedures to identify and respond to breaches immediately upon detection.

These procedures should ensure the GDPR requirements for data handling data breaches are followed. In this context, special attention must also be given to how your organisation’s IT systems are managed during a breach to ensure that it will be mitigated and quickly return to business as usual.

These procedures must be reviewed and updated regularly to incorporate best practices and to keep your organisation well-prepared to execute them effectively when a breach occurs.

Regularly review and update data breach response procedures, ensuring they align with GDPR requirements and can be executed effectively when needed.

Vendor Compliance Management

A large part of your organisation’s data processing is likely outsourced to external providers, and while you probably carried out thorough checks when you first partnered with them, what about now? 

It could have been a year or more since your last review, so are they still holding that ISAE 3000 statement or ISO 27001 certification they initially provided?

Although your data processors are responsible for handling personal data correctly on your behalf, the ultimate responsibility lies with you as the data controller. Having a Data Processing Agreement (DPA) in place when onboarding a vendor is only the beginning. 

You must regularly ensure that these Data Processing Agreements are relevant, reflect any updates to your requirements, and that the vendor’s security measures remain robust. For instance, if your processor starts using a new sub-processor, it’s up to you to confirm that this new arrangement meets your compliance standards.

Managing vendor compliance is a tricky task. Ideally, you should conduct regular vendor audits, e.g., once a year, to ensure their data protection practices continue to meet GDPR standards. 

This involves verifying certifications like the ISAE 3000 statement, checking their history of data breaches, and reviewing whether they have brought on any new sub-processors. Automating this process, such as sending audit questionnaires or setting reminders for certification renewals and DPA updates, can help you manage this task smoothly.

Conduct regular vendor audits, keep Data Processing Agreements up to date, and verify that vendors' security measures continue to comply with GDPR.

Regulatory Monitoring

It may seem obvious, but staying informed about regulatory developments related to GDPR is part of the job.

GDPR rules and best practices evolve, and new legal interpretations or industry guidelines can appear. By keeping up with these changes, you can adjust your organisation’s practices early, helping you stay compliant and avoid potential problems.

An easy way to do this is by subscribing to regulatory updates, attending relevant webinars, and networking within your industry.

Regularly monitor GDPR regulatory updates and industry guidelines to adjust practices and maintain compliance.

Conclusion

One thing is to implement the GDPR, and another is to stay GDPR compliant.

This article has outlined several tasks you should consider as part of your ongoing GDPR compliance management.