- Develop a detailed Annual Data Protection Plan. All assessment areas will be subject to a risk assessment to determine frequency of assessment and application of resources.
- Data Process Mapping is vital to the embedding. Under this stage the work done at stage 1 will be further extended to document each individual process, what personal data is collected, for what purpose and how it is used.
- Develop a detailed process flow register, stakeholder register, personal data register, supplier / vendor register
- Risk Assessment on Vendors / Suppliers – determine what vendors are Data Processors and what processes they are undertaking on behalf of the organisation.
- Information Technology Data Protection assessment programme to determine any underlying risks to the organisation.
- Develop Data Protection Specific Risk Register and complete risk assessments on identified risks. In conjunction with the Risk Management Officer develop treatments for risks outside of risk appetite.
- Policy Review and Application – assess adherence to developed data protection / privacy policies. Make recommendations for improvement were applicable.
- Continuous Training and Awareness – as the regulations and guidance develop it will be important that all stakeholders within the organisation stay abreast of new developments in Data Protection and their responsibilities.
- The role of the DPO is to ensure compliance with the Regulations. It is envisaged that the applicable articles will be tested throughout the year for compliance purposes.
Stage 3 – GDPR Monitoring