We've spent the last eight or so months planning and preparing for the GDPR. We've found it confusing at times and it has cost us quite a bit in terms of time and money.


Whilst at first it seemed a pain in the backside, we soon realised the benefits.  Primarily, who wants to deal with a business that doesn't take your personal data seriously.  


Our first goal was to try and understand, as best we can with the limited knowledge out there at the moment, what the GDPR meant for us and what we had to do to become compliant. The second goal was to see how and where we could help our customers.


So we all started by reading the GDPR final paper and the ICO Bill (and made notes) and we all got a headache!  We read the ICO website but it didn't contain much useful information and was very complicated.  However, the ICO website is getting much better day by day since the turn of the year.  The website is now easier to navigate and the content has improved.  They've also updated their checklists and assessments and more recently have added some toolkits too.


With limited resources and lots of misleading information we decided to take the following steps:-

  1. Attended the GDPR.Summit in London
  2. Achieved Cyber Essentials Accreditation
  3. Stuart and Rachel passed the GDPR.Summit certification
  4. Attended several GDPR seminars and online webinars
  5. Purchased books from IT Governance and others - we found these quite useful
  6. Trawled the web covering over 100 websites reading and comparing articles and resources
  7. Tested software and templates
  8. Reviewed and tested software to track GDPR Compliance as well as ISO 27001 compliance
  9. Attended another seminar hosted by a law firm in Milton Keynes (EMW) in April 2018 - this was extremely helpful
  10. Passed exams for Draytek Certification - which helps with our firewall protection and security


With plenty of knowledge behind us we needed to start the process of reviewing our systems, updating policies and procedures, training staff, checking supplier status and making any necessary changes to our systems.  We had several options at this stage:-


  1. Purchase a dedicated software program
    We have partnered with a provider that can help achieve GDPR compliance and ISO 27001 compliance. Through Cambridge Helpdesk you can get a discount on their software. the biggest benefit is that right from the off it completes 77% of the steps for you. for large companies or companies looking at ISO 27001 (and other ISO levels) it's pretty much a no brainer.
  2. Purchase some Excel templates
    There are templates available now but we found them quite complicated. The best ones we found cost £500 but this was a one off. If you would like to know where to get these please give us a call. 
  3. Use our existing documentation system
    We have an excellent documentation system at Cambridge Helpdesk so it made sense for us to use this. We can check when staff have read articles and completed any tests, we can also easily update sections and keep track of changes and all the data is secured by password and MFA (Multi Factor Authentication)


Having decided to track our GDPR compliance in our documentation system we created a 10 point checklist. there are lots of checklists out there, some are 7 steps, some are 10, some are 12. Basically it just depends on how you categorise certain sections of the GDPR against your own internal systems. Here's our '10 Step checklist':-


Step
Title
Individual Steps
0
Start Here/Prep work
  1. Learn/Read/Explore
  2. Decide where to store our documentation
  3. Complete the ICO's checklists
1
Appoint a DPO
  1. Appoint/Assign a DPO
2
Data Audit
  1. Review all areas where we store data and categorize all data
3
Data Map
  1. List how we obtain data and where we store it (Create Data Flow Charts)
  2. Prepare a Risk Register
4
Security
  1. Attain Cyber Essentials Accreditation
  2. Create a scheduled task to check security measures and systems
    (e.g. Test, review and log the implemented measures on a regular basis.)
5
Privacy Notices
  1. Define the legal basis for processing certain data
  2. Define Data Subject Rights
  3. Define Data Subject Access (DSAR) procedure
  4. Define Data Subject Consent forms 
6
Policies
  1. Review and update our Personal Data Protection Policy
  2. Review and Update our Employee Personal Data Protection Policy
  3. Review and update our Data Retention Policy
7
Training
  1. Create a training plan for GDPR
  2. Create a training plan for Security Awareness
  3. Record who has had training and when
  4. Create a test/quiz for staff to complete. Record the results
8
Privacy Impact Assessment (PIA)
  1. Carry out a Privacy Impact Assessment on the data we hold/process

9
Data Breach
  1. Establish a process to evaluate a data breach, and to notify the Supervisory Authority (ICO) and data subjects
  2. Establish a process to respond to a data breach
  3. Maintain a record of all data breaches
10
Third Parties
  1. List all third party suppliers
  2. Identify suppliers that process personal data on our behalf (data processors).
  3. Identify suppliers outside of the European Economic Area (EEA)
  4. Confirm that all third party suppliers conform to GDPR
  5. Prepare and where possible sign agreements with data processors to ensure they will act based on our instructions and will comply with EU GDPR