1. Prepare your organization:
Introduce stakeholders across your organization to the requirements of GDPR. Conduct employee training in Cyber Security, Privacy by Design and Privacy by Default principles. Assign a Data Protection Officer (DPO) if required, i.e. if you employ more than 250 people.
2. Audit your data:
Make sure you know where all your data lives, who has access and on what devices. Identify where personal data is processed, including by third party processors. Document the grounds for lawful processing and update current privacy policies.
3. Audit service partners:
Make sure that service partners, i.e. embedded third party services on your website or Software-as-a-Service providers, are also compliant with GDPR, or under an officially sanctioned data jurisdiction. Review and map their international data flows.
4. Obtain consent:
Implement methods for seeking, obtaining and recording consent to ensure compliance. Keep a clear record of what each individual data subject consented to and provide options for the data subject to revoke or change a consent.
5. Respond to data rights:
Implement procedures that enables your organization to respond to data subject rights, i.e. data access, rectification and erasure. Document how they will be exercised in both customer and employee contexts.
6. Prepare for data breaches:
Ensure that there are procedures in place to detect, investigate and report on personal data breaches to meet the GDPR's 72 hour-deadline for notification.