The home page is the starting point to work through all of the tasks required to become GDPR compliant. It is generally accepted that it is impossile to become 100% compliant due to all of the possible interactions between all stakeholders, processes and systems within the privacy network. However by following this framework it will ensure that you are, with best endeavour, trying to work within the guidelines set out by the GDPR articles.
The steps listed on the home page will provide you a simple view on how much of the framework you have completed. Due to the ongoing review, maintenance and improvement defined by GDPR you should be planning to revisit each of the framework sections on a regular basis, assessing how you are performing and implementing improvements as you manage the GDPR process over the organisations lifetime.
If you are new to GDPR Software then the best way to get started is to follow the home page Getting Started sections. Set off from Step 1, select the Show Me More button, to expand the section, you will also find additional guidance notes and summary progress information to guide you through each of the stages.
There are 6 steps to follow;
Step 1: Create lists of items that reflect your organisations structure and operating processes.
Select the Lists menu item above, fill out all of the lists first before proceeding. You can always go back and amend the lists later if you need to. To get you started, if you need to see some examples, use the Load Sample Data button, this will load a list of generic items that you can tailor to make your own. Most items will need customising to fit in with your business, look for entries surrounded by square brackets, they will all need reviewing and configuring e.g. [Assign me], once you have all lists customised then this stage will be complete. To help you customise the sample documents, policies, procedures, etc. you can configure the Document Auto Fill list, for example enter your company name for the entry [COMPANY NAME]. Once you have configured all of the auto fill entries you can then use the button below to auto fill any documents that require that data e.g. [COMPANY NAME] to insert your real company name.
NOTE: Before you can customise your Data Types list you will normally have to carry out at least one Data Mapping Assessment which is accessed from the Dashboard (Stage 2 Records of Processing Activities and Data Transfers - Section 1 Personal Data Records).
Step 2: Initial assessment of where you are, work through all of the stages of the framework.
The Dashboard, accessed using the Dashboard menu option, shows you all of the key stages to be completed to become GDPR-ready. Each stage will have a number of sections to complete. For each section at this stage simply answer Yes, No or Not Sure, if you answer Yes, then make sure there is evidence to demonstrate it by filling out the Justification/Notes section describing why the answer is Yes linking any documents or assessments that are part of the evidence. Once you have completed all Yes sections you can then start working on the sections that you answered No or Not Sure, putting in place the relevant documentation, processes, or actions to start demonstrating compliance. Within each section you must provide evidence to demonstrate you are working towards GDPR for that section. Evidence can be demonstrated in many ways for example select a related Document, create an Assessment, create an Action, etc. Throughout the process you can see examples by using the Load Sample Data button, this will load generic items you can use to get you started.
Step 3: Carry out some initial Data Mapping Assessments to identify Data Types.
The Assessments menu option allows you to create different types of Assessments (Risk, Data, GAP, Supplier, etc). In order to complete the Data Types list you need to look accross the whole of the Privacy Network (Internal and External) identifying:
Load Sample Data within Stage 2 Records of Processing Activities and Data Transfers - Section 1 Personal Data Records provides a template to carry out that study. At the end of these Assessments you should have answered all of the questions above, you can then delete Data Types not being collected from the Data Type List, and proceed to the next step.
Step 4: Complete your GDPR framework and become compliant.
Once you have carried out the initial assessment in step 3 above, you will have answered all of the questions, if you answered No or Not Sure then they will appear below. For each of the sections that you have not answered Yes, go back to that section and start to put in place Assessments, Documents, Actions so that you can provide evidence and a justification to finally answer the section as Yes. Once that section has a Yes it will dissappear from this list.
Step 5: Create an Action Plan to manage and monitor your GDPR framework.
Every single section within the framework should have an outstanding action, as a minimum it should be reviewed regularly. The frequency of review will depend on the dynamics and data use of your organisation. For example if you are subjected to frequent data breaches or requests for data records, then processes or policies will dictate how to respond. For organisations that have significant data use then a review period of 6 months might be applicable otherwise an annual review should be adequate. The table below shows if you have outstanding GDPR Review actions, if not, then you can automatically create these actions but they will need manually assigning and then optionally emailed out.
Step 6: Manage and review your GDPR framework to maintain and improve compliancy.
Once you have your GDPR system in place you need to pro-actively manage and improve on implementing the guidelines. The Review Actions you set up and other on-going actions need to be completed in a timely manner. The Data Registers, need managing and you should be aiming to close out entries in a timely manner in line with your procedures. The table below is a overview of how all actions and register entries are performing.