Business are required to do two things to meet the requirements of GDPR:
1.Design systems and processes to ensure the data they hold is secure.
2.Design systems and processes to ensure that the data is managed properly.
For many businesses Cyber Essentials will be a good starting point to ensure the security of the data is maintained. The processes to ensure data is managed properly are a little more complex. Businesses will have to understand their data, know what data they hold, where they store it and why the store it. They will also need to understand the risks holding such data could expose a data subject to, then put processed into place that reduce this risk. The IASME Governance Standard will not do this work for you, but it is a great way to demonstrate to all you have done the work and take privacy seriously.
The Information Commissioner recommends 12 steps to prepare for GDPR. The IASME Governance Standard assesses all of the 12 elements, which cover:
1.Making the organisation aware
2.Understanding the information you hold
3.Privacy statements & policies
4.Managing individuals rights
5.Managing subject access requests
6.Understanding the lawfulness of processing data
7.Requirements for children’s consent
8.Managing data breaches
9.Managing data breaches
10.Conducting Data Protection Impact Assessments
11.Need for a Data Protection Officer
12.International transfer of data