The introduction of the accountability principle under the GDPR means that not only do organizations have to comply with the GDPR but they also have to be able to demonstrate compliance. This includes keeping up-to-date records of processing activities and sharing these records with data protection authorities upon request.
During this phase a series of policies, procedures and checklists will be developed to form a “Personal Information Management System (PIMS)” contained in a single manual. The PIMS is developed to provide compliance with the documented aspects of the Regulation and includes:
- Organization structure for data protection, job descriptions and responsibilities of key personnel, such as Data Protection Officer, Controllers and processors.
- Necessary Policies, such as Data Protection and Security Policy, GDPR Training Policy, Privacy Policy, Consent policy etc.
- Necessary procedures, such as Consent procedures, withdrawal of consent, retention periods of records, breach of GDPR, destruction of all records after the retention period, pseudonymization etc.
- Records and checklists required for the implementation of the system.
- Basic mapping of flow of data, together with necessary safeguards for compliance with GDPR.
During the above process, necessary amendments to existing procedures and records kept (such as third-party contracts, employment agreements etc.) are highlighted and guidance is provided for their amendments.