GDPR Compliance Roadmap
The processing of personal data is regulated in the EU by the General Data Protection Regulation (GDPR).
In the UK, the Data Protection Act 2018 enshrined a version of the EU GDPR into the UK law, now called the UK GDPR.
It is likely the most complex regulation your staff face at work, and the financial penalties for breaches are ruinous.
Companies face fines of up to 4% of global annual turnover, up to a maximum of €20 million.
So it is critical to educate and support your staff fully to comply with this regime.
If you need help implementing your GDPR roadmap, we can suggest practical solutions.
GDPR Compliance Roadmap
The GDPR is one of the most detailed regulations, with rules covering every aspect of data processing.
To comply, you need to ensure that your staff are aware of your legal basis for data processing, rights of your data subjects, including access requests, your technical security measures, etc.
Proper consent for data collection must be obtained if that is your legal basis. Data Subject Access Requests must be dealt with promptly and personal data retained no longer than necessary.
You may have implemented some one-off measures such as preparing the policies and training your staff. However, to fully comply and protect your company against costly breaches, you should consider a comprehensive set of ongoing measures to prepare and support your employees.
In the UK, the Information Commissioner's Office (ICO) has provided checklists for data controllers and processors that should be the basis for your GDPR compliance roadmap. In general, you should consider the following steps to maintain your GDPR readiness:
- Step 1: Prepare data protection policies and procedures and ensure they are communicated to and attested to by employees and relevant sub-processors.
- Step 2: Train your employees on the GDPR rules and how they apply to your company and their roles.
- Step 3: Keep records of data processing activities for GDPR Article 30 compliance.
- Step 4: Offer an easily accessible breach register for your staff to report any actual or suspected breaches or near misses.
- Step 5: Obtain compliance declarations from your third-party sub-processors to ensure that your supply chain is aligned with your internal data protection standards.
- Step 6: Conduct anonymous staff surveys to uncover deficiencies in your internal controls and external threats to continuously improve your data protection policies and procedures.
Policy Attestations
Compliance with the GDPR and the DPA starts with good corporate policies covering all aspects of data processing and information security - everything from data collection and retention periods to access control and the use of passwords.
But the policies don't work unless you ensure that they are communicated to all staff and new hires promptly after joining your company. Ideally, you should seek all affected employees to affirm that they understand and agree to abide by these policies and associated systems and procedures.
With Skillcast's online Policy Hub, our employees can regularly review and attest all the relevant policies in a timely and efficient manner, and you can evidence to regulators and authorities when required.
See our Policy Hub in action
GDPR Training
Adopting the policies is the first step, but effectively communicating them to your employees secures the required behavioural change.
Your staff need to understand your rules for processing and protecting personal data.
Skillcast offers a range of data protection courses to educate your staff and experts:
Browse all of our data protection (GDPR) courses
Your company must report certain personal data breaches to The Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. You must also record any personal data breaches, regardless of whether or not its severity warrants notifying the ICO.
GDPR breach fines from the ICO can reach up to £8 million or 2% of global turnover if the breach is not reported within the allowable time.
Organisations must have a robust breach-reporting process to detect and notify breaches on time and provide necessary details.
With a Skillcast Compliance Register, you can run this workflow efficiently and analyse the data over time to ensure compliance with the requirements of the GDPR.
Read more about our Compliance Registers
Third-party Due Diligence
You may need third parties to complete disclosures or declarations regarding compliance with the GDPR and DPA.
Using email of paper-based processes is slow, inefficient and creates unnecessary duplication.
Using the Skillcast online Compliance Declarations will help you to streamline the collection, analysis and management of due diligence for associated persons outside your organisation.
Staff Surveys
Your employees and managers are your first line of defence against data breaches, and their knowledge about the effectiveness of your data protection and compliance procedures is crucial.
Conducting periodic staff surveys can tell you much about your data protection risks and deficiencies in training, procedures, record-keeping and any lack of clear policies and procedures. To maximise the utility of such surveys, you need to make them anonymous so that your employees can speak freely about sensitive topics.
The Skillcast Compliance Survey Tool can help you conduct robust, anonymous staff surveys that ensure the widest coverage and enable employees to give feedback to you in confidence.
Find out more about our Compliance Surveys tool
Best Practices in Data Protection
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
Top 10 Frequently Asked Questions About GDPR
Whistle-stop answers to the who, how, what, where and when of GDPR.
Conducting a GDPR Compliance Audit
An audit of your GDPR procedures and controls will allow you to benchmark your existing activities and remedy any gaps to ensure regulatory compliance.
GDPR for Small Businesses
The GDPR is a big risk for small businesses because the fines for non-compliance can be so large as to cause liquidation.
How will Brexit affect GDPR?
Now that the UK has left the European Union, what will the implications be for the GDPR? Will anything change? We answer your most frequently asked questions.
Data Subject Acess Request Fees
Under GDPR, the way to deal with data subject access requests changed. How can you manage them effectively while remaining compliant?
How to Manage Data Subject Requests
GDPR & Age of Consent
Corruption affects all countries, rich and poor. It causes instability, inequality, and poverty, eroding national wealth. So what can you do to reduce the risk in your company?
Legal Basis for Data Processing under GDPR
There are six legal bases for processing as set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data.
Six Legal Bases for Processing Data
GDPR Compliance Tips when Sharing Data
Before you transfer personal data to other organisations, especially outside the EEA, you need to stop to think about the GDPR implications.
GDPR Compliance Tips for Sharing Data
GDPR & Safeguarding Vulnerable Adults
This category and level of data held by companies on vulnerable data subjects may far exceed original expectations, which is why you need to assess its impact.
Why you Need a Data Protection Officer
Corruption affects all countries, rich and poor. It causes instability, inequality, and poverty, eroding national wealth. So what can you do to reduce the risk in your company?
How to Protect Health Data under GDPR
Health data security is in the spotlight, as public confidence has slumped after high profiles data breaches in the UK and rookie data processing errors.
Data Protection in Times of Disruption
GDPR compliance becomes more challenging than ever during times of disruption. To maintain data protection compliance, you will need to focus and prioritise.
Data Protection During Disruption
What Factors Affect GDPR Fines?
To help you understand how these factors are applied, we have assessed each area in the context of the now-infamous Facebook data breach.
Experience the Skillcast difference with a free demo
See first-hand how we help you take control of compliance using our roadmaps. By booking a demo, you can experience the Skillcast Portal, our courses and materials, and learn about your bespoke and customisation options. If you’re ready to book your demo with us, complete the form today.
Our frequently asked questions
Data Protection (GDPR)
Common FAQs
Where can I track incidents involving personal data?
How can I ensure that employees formally attest to our internal Data Protection Policy?
How can I ensure employees formally attest to our internal Data Protection Policy?
Are the courses SCORM-compliant?
What other tools are needed beyond training?
Can users only view the courses assigned to them?
Why Skillcast?
