Business are required to do two things to meet the requirements of GDPR:
1.Design systems and processes to ensure the data they hold is secure.
2.Design systems and processes to ensure that the data is managed properly.
For many businesses Cyber Essentials will be a good starting point to ensure the security of the data is maintained. The processes to ensure data is managed properly are a little more complex. Businesses will have to understand their data, know what data they hold, where they store it and why the store it. They will also need to understand the risks holding such data could expose a data subject to, then put processed into place that reduce this risk. The IASME Governance Standard will not do this work for you, but it is a great way to demonstrate to all you have done the work and take privacy seriously.
The Information Commissioner recommends 12 steps to prepare for GDPR. The IASME Governance Standard assesses all of the 12 elements, which cover:
2.Information you hold
5.Subject Access Requests
6.Lawful basis for processing
9. Data Breaches
10.Data Protection by Design and Data Protection Impact Assessment
11.Data Protection Officer