Phase 1 lays the foundation for your GDPR compliance project by clearly defining roles, raising awareness, planning the compliance project, and understanding the scope of GDPR within your organisation.
Below is a detailed, actionable guide to ensure clarity and ease of implementation.
Step 1: Assign Responsibility and Raise Awareness
Activities:
- Designate a GDPR Lead or Team:
- Identify and appoint a GDPR lead, privacy coordinator, or Data Protection Officer (DPO) if legally required.
- Clearly define their responsibilities and authority within the organisation.
- Template placeholder: “GDPR Role Assignment Document”.
- Secure Management Commitment:
- Present the importance of GDPR compliance to top management.
- Gain formal approval and commitment for GDPR implementation.
- Document these decisions clearly as evidence.
- Template placeholder: “Management Commitment Statement”.
- Staff Awareness Training:
- Organise training sessions or workshops to brief employees on GDPR, explaining its importance and how it impacts daily operations.
- Emphasise the concept of restricted data access (e.g., only HR accesses employee data).
- Maintain attendance logs and meeting minutes for evidence.
- Template placeholder: “GDPR Staff Training Presentation”.
- Establish Documentation:
- Create a “GDPR Compliance Folder” (digital recommended) to store all relevant documentation securely.
- Clearly label and organise documentation for easy retrieval and audit purposes.
- Template placeholder: “GDPR Compliance Documentation Checklist”.
Step 2: Plan the Compliance Project
Activities:
- Define Project Phases and Tasks:
- Clearly break down your GDPR compliance project into phases (e.g., assessment, implementation, training).
- List tasks within each phase, specifying responsibilities clearly.
- Template placeholder: “GDPR Project Plan Template”.
- Establish Timeline and Milestones:
- Develop a realistic timeline that includes key deadlines and milestones.
- Prioritise addressing high-risk areas first, such as unsecured databases or extensive marketing lists.
- Regularly review and update the timeline.
- Template placeholder: “GDPR Project Timeline and Milestone Tracker”.
- Resource Planning:
- Identify required resources, including budget allocations, time commitments, and potential need for external legal advice.
- Secure management approval for resource allocation.
- Template placeholder: “GDPR Resource Allocation Worksheet”.
- Tracking Progress:
- Use checklists and tracking tools to monitor the progress of tasks and compliance levels.
- Consider self-assessment checklists provided by data protection authorities such as the UK ICO.
- Template placeholder: “GDPR Compliance Progress Checklist”.
Step 3: Understand Scope and Applicability
Activities:
- Assess GDPR Relevance:
- Evaluate and document how GDPR applies specifically to your business operations.
- Confirm if your SME processes data of EU/UK individuals, thereby establishing compliance requirements.
- Template placeholder: “GDPR Applicability Assessment Template”.
- Identify Roles as Controller or Processor:
- Clarify whether you operate as a data controller, processor, or both, depending on your data processing activities.
- Document these roles clearly for internal reference.
- Template placeholder: “Data Processing Roles Clarification Form”.
- Manage International Transfers:
- Identify if personal data is transferred outside the EU/UK and document these instances.
- Plan for compliance using standard contractual clauses or other approved mechanisms.
- Template placeholder: “International Data Transfer Assessment Template”.
