GDPR Compliance: 12-Step Process
Stage 1 - Awareness
Key Considerations: Ensure all key personnel understand GDPR implications.
Stage 2 - Information You Hold
Documentation: Document data sources, sharing, and accuracy for accountability.
Stage 3 - Communicating Privacy Information
Review Notices: Review and update privacy notices for GDPR compliance.
Stage 4 - Individuals Rights
Procedures: Ensure procedures cover individual rights, including data deletion and format provision.
Main Rights: Subject access, correction of inaccuracies, data erasure, prevention of direct marketing, prevention of automated decision making.
Stage 5 - Subject Access Requests
Changes: Be aware of changes to subject access request rules under GDPR.
Handling: Handle requests promptly within the one-month timeframe.
Refusal Criteria: Manifestly unfounded or excessive requests can be charged for or refused.
Stage 6 - Legal Basis for Processing Personal Data
Identify: Identify and document legal basis for data processing activities.
Privacy Notice: Explain legal basis in privacy notices and responses to access requests.