You cannot fail to have noticed that GDPR is imminent. We thought it might be helpful to offer you a quick look at where you need to be at this stage in the pre-GDPR game.
Do you have an information asset register?
- does it clearly identify why you collected the personal information?
- do you have clearly defined retention schedules in place?
Have you begun to implement Data Protection Privacy Impact Assessments?
- Are they properly documented and are risks fully understood?
Hows your privacy statement looking?
- Is it clear and unambiguous?
Is your Subject Access Request process clearly signposted?
- Are all staff being trained to recognise one and who to pass them onto?
Have you begun to document ‘how’ you comply with GDPR?
Are senior management fully trained and aware of the part they play in ensuring ongoing compliance?
Should (when) you be breached can you evidence appropriate security controls were in place?
- Do you have an assurance plan to ensure controls remain effective?
Do you have an effective incident reporting and management plan to ensure proper reporting to the correct authorities
- Are employees fully versed and trained in this?
- Do you document and evidence exercising the plan?
Have you implemented an effective no blame near miss reporting process?
- Are near miss stats transparently reported to all staff?
- Are you arising results from near miss reporting to tweak your culture?
Remember GDPR isn’t a project. It requires a permanent change of culture.
You must be investing in quality staff training now.
- Posted by Ellie Hurst
- On 10th January 2018
- 0 Comments