Develop a detailed Annual Data Protection Plan. All assessment areas will be subject to a risk assessment to determine frequency of assessment and application of resources.
Data Process Mapping is vital to the embedding. Under this stage the work done at stage 1 will be further extended to document each individual process, what personal data is collected, for what purpose and how it is used.
Develop a detailed process flow register, stakeholder register, personal data register, supplier / vendor register
Risk Assessment on Vendors / Suppliers – determine what vendors are Data Processors and what processes they are undertaking on behalf of the organisation.
Information Technology Data Protection assessment programme to determine any underlying risks to the organisation.
Develop Data Protection Specific Risk Register and complete risk assessments on identified risks. In conjunction with the Risk Management Officer develop treatments for risks outside of risk appetite.
Policy Review and Application – assess adherence to developed data protection / privacy policies. Make recommendations for improvement were applicable.
Continuous Training and Awareness – as the regulations and guidance develop it will be important that all stakeholders within the organisation stay abreast of new developments in Data Protection and their responsibilities.
The role of the DPO is to ensure compliance with the Regulations. It is envisaged that the applicable articles will be tested throughout the year for compliance purposes.