• Develop a detailed Annual Data Protection Plan. All assessment areas will be subject to a risk assessment to determine frequency of assessment and application of resources.
  • Data Process Mapping is vital to the embedding. Under this stage the work done at stage 1 will be further extended to document each individual process, what personal data is collected, for what purpose and how it is used.
  • Develop a detailed process flow register, stakeholder register, personal data register, supplier / vendor register
  • Risk Assessment on Vendors / Suppliers – determine what vendors are Data Processors and what processes they are undertaking on behalf of the organisation.
  • Information Technology Data Protection assessment programme to determine any underlying risks to the organisation.
  • Develop Data Protection Specific Risk Register and complete risk assessments on identified risks. In conjunction with the Risk Management Officer develop treatments for risks outside of risk appetite.
  • Policy Review and Application – assess adherence to developed data protection / privacy policies. Make recommendations for improvement were applicable.
  • Continuous Training and Awareness – as the regulations and guidance develop it will be important that all stakeholders within the organisation stay abreast of new developments in Data Protection and their responsibilities.
  • The role of the DPO is to ensure compliance with the Regulations. It is envisaged that the applicable articles will be tested throughout the year for compliance purposes.

Stage 3 – GDPR Monitoring