Templates
Implementing GDPR Regulation Mind Map
Get to grips with new GDPR regulation with this templates that talks you through its implentation.
Don’t have MindGenius installed? No problem, simply start your free trial today to be able to download and open.
1. HOW TO GUIDE
1.1. Get started quickly by reading our How to Guide for this template, available to view at this link
1.1.1. https://www.barvas.com/resources/how-to-guides/how-to-implement-gdpr-regulation/
2. Determine whether your organisation processes personal data as a “data controller” or “data processor”.
2.1. A controller determines the purposes and means of processing personal data
2.1.1. However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
2.2. A processor is responsible for processing personal data on behalf of a controller
2.2.1. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
2.3. If GDPR is applicable to your business then complete the appropriate ICO checklist. Simply update status on the map by selecting not applicable, not yet, partially or successfully implemented to seamlessly create tasks to manage the key activities.
3. GDPR checklist for data controllers – Designed to help you, as a data controller, assess your high level compliance with data protection legislation.
3.1. Step 1: Lawfulness, fairness and transparency
3.1.1. Information you hold
3.1.1.1. Has your business conducted an information audit to map data flows?
3.1.1.1.1. Possible subtasks
3.1.1.1.1.1. Perform Information Audit
3.1.1.1.1.2. Identify and document risks
3.1.1.2. Has your business documented what personal data you hold, where it came from, who you share it with and what you do with it?
3.1.1.2.1. Possible subtasks
3.1.1.2.1.1. Maintain records of processing activities
3.1.1.2.1.2. Document information management procedures
3.1.2. Lawful bases for processing personal data
3.1.2.1. Has your business identified your lawful bases for processing and documenting them?
3.1.2.1.1. Possible subtasks
3.1.2.1.1.1. Identify and Document data processing types and lawful bases
3.1.3. Consent
3.1.3.1. Has your business reviewed how you ask for and record consent?
3.1.3.1.1. Possible subtasks
3.1.3.1.1.1. Identify, implement and document consent process
3.1.3.2. Has your business a system to record and manage ongoing consent?
3.1.3.2.1. Possible subtasks
3.1.3.2.1.1. Create system to record and manage ongoing consent
3.1.4. Consent to process children’s personal data for online services
3.1.4.1. If your business relies on consent to offer online services directly to children, have you systems in place to manage it
3.1.4.1.1. Possible subtasks
3.1.4.1.1.1. Implement and document systems to manage consent
3.1.5. Registration
3.1.5.1. Is your business currently registered with the Information Commissioner’s Office?
3.1.5.1.1. Possible subtasks
3.1.5.1.1.1. Register, or continue to register, with the ICO
3.2. Step 2: Individuals’ rights
3.2.1. Right to be informed including privacy notices
3.2.1.1. Has your business provided privacy notes to individuals?
3.2.1.1.1. Possible subtasks
3.2.1.1.1.1. Create privacy notice(s)
3.2.2. Communicate the processing of children’s personal data
3.2.2.1. If your business offers online services directly to children, do you communicate privacy information in a way that a child will understand?
3.2.2.1.1. Possible subtasks
3.2.2.1.1.1.1. Create child friendly privacy notice
3.2.3. Right of access
3.2.3.1. Has your business a process to recognise and respond to individuals’ requests to access their personal data?
3.2.3.1.1. Possible subtasks
3.2.3.1.1.1. Implement subject access request process
3.2.3.1.1.2. Provide training to staff
3.2.4. Right to rectification and data quality
3.2.4.1. Has your business a process that ensures that the personal data you hold remains accurate and up to date?
3.2.4.1.1. Possible subtasks
3.2.4.1.1.1. Implement processes to maintain data accuracy
3.2.5. Right to erasure including retention and disposal
3.2.5.1. Has your business a process to securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
3.2.5.1.1. Possible subtasks
3.2.5.1.1.1. Implement processes for secure disposal of personal data
3.2.6. Right to restrict processing
3.2.6.1. Has your business procedures to respond to an individual’s request to restrict processing of their personal data?
3.2.6.1.1. Possible subtasks
3.2.6.1.1.1. Implement procedures to restrict processing of personal data
3.2.7. Right of data portability
3.2.7.1. Has your business processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability?
3.2.7.1.1. Possible subtasks
3.2.7.1.1.1. Implement processes for the movement, copying or transfer of personal data
3.2.8. Right to object
3.2.8.1. Has your business procedures to handle an individual’s objection to the processing of their personal data?
3.2.8.1.1. Possible subtasks
3.2.8.1.1.1. Implement procedures to handle objection to processing of personal data
3.2.8.1.1.2. Provide training to staff
3.2.9. Rights related to automated decision making including profiling
3.2.9.1. Has your business identified whether any of your processing operations constitute automated decision making and have procedures in place to deal with the requirements?
3.2.9.1.1. Possible subtasks
3.2.9.1.1.1. Implement procedures to deal with requirements regarding automated decision making
3.2.10. Step 3: Accountability and Governance
3.2.10.1. Accountability
3.2.10.1.1. Has your business an appropriate data protection policy?
3.2.10.1.1.1. Possible subtasks
3.2.10.1.1.1.1. Create a data protection policy
3.2.10.1.2. Does your business monitor your own compliance with data protection policies and regularly review the effectiveness of data handling and security controls?
3.2.10.1.2.1. Possible subtasks
3.2.10.1.2.1.1. Establish a monitoring process
3.2.10.2. Does your business provide data protection awareness training for all staff?
3.2.10.2.1. Possible subtasks
3.2.10.2.1.1. Provide training to staff
3.2.11. Data Processor Contracts
3.2.11.1. Does your business have a written contract with any data processors you use?
3.2.11.1.1. Possible subtasks
3.2.11.1.1.1. Create written contract for processors
3.2.12. Information Risks
3.2.12.1. Does your business manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively?
3.2.12.1.1. Possible subtasks
3.2.12.1.1.1. Establish policies and procedures to manage information risks
3.2.13. Data Protection by Design
3.2.13.1. Has your business implemented appropriate technical and organisational measures to integrate data protection into your processing activities?
3.2.13.1.1. Possible subtasks
3.2.13.1.1.1. Implement appropriate measures to integrate data protection into processing activities
3.2.14. Data Protection Impact Assessments (DPIA)
3.2.14.1. Does your business understand when you must conduct a DPIA and have processes in place to action this?
3.2.14.1.1. Possible subtasks
3.2.14.1.1.1. Establish DPIA policy and procedures
3.2.14.2. Does your business have a DPIA framework which links to your existing risk management and project management processes?
3.2.14.2.1. Possible subtasks
3.2.14.2.1.1.1. Link DPIA framework to risk management and project management processes
3.2.15. Data Protection Officer
3.2.15.1. Does your business have a nominated data protection lead or Data Protection Officer (DPO)?
3.2.15.1.1. Possible subtasks
3.2.15.1.1.1. Nominate a data protection lead or Data Protection Officer (DPO)
3.2.16. Management Responsibility
3.2.16.1. Do decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business?
3.2.16.1.1. Possible subtasks
3.2.16.1.1.1. Demonstrate management support for data protection legislation
3.3. Step 4: Data security, international transfers and breaches
3.3.1. 4.1 Security Policy
3.3.1.1. Has your business an information security policy supported by appropriate security measures?
3.3.1.1.1. Possible subtasks
3.3.1.1.1.1. Develop, implement and communicate an information security policy
3.3.2. 4.2 International Transfers
3.3.2.1. Does your business ensure an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area?
3.3.2.1.1. Possible subtasks
3.3.2.1.1.1. Identify and document the process for the protection of personal data transferred outside of the European Economic Area
3.3.3. 4.3 Breach Notification
3.3.3.1. Has your business effective processes to identify, report, manage and resolve any personal data breaches?
3.3.3.1.1. Possible subtasks
3.3.3.1.1.1. Implement processes to identify, report, manage and resolve any personal data breaches
4. GDPR checklist for data processors – Designed to help you understand and assess your high level compliance with data protection legislation
4.1. Step 1: Documentaion
4.1.1. Information You Hold
4.1.1.1. Has your business conducted an information audit to map data flows?
4.1.1.1.1. Possible subtasks
4.1.1.1.1.1. Perform Information Audit
4.1.1.1.1.2. Identify and document risks
4.1.1.2. Has your business documented what personal data you hold, where it came from, who you share it with and what you do with it?
4.1.1.2.1. Possible subtasks
4.1.1.2.1.1. Maintain records of processing activities
4.1.1.2.1.2. Document information management procedures
4.2. Step 2: Accountability and Governance
4.2.1. 2.1 Accountability
4.2.1.1. Has your business an appropriate data protection policy?
4.2.1.1.1. Possible subtasks
4.2.1.1.1.1. Create a data protection policy
4.2.2. 2.2 Data Protection Officer
4.2.2.1. Does your business have a nominated data protection lead or Data Protection Officer (DPO)?
4.2.2.2. Possible subtasks
4.2.2.2.1. Nominate a data protection lead or Data Protection Officer (DPO)
4.2.3. 2.3 Management Responsibility
4.2.3.1. Do decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business?
4.2.3.1.1. Possible subtasks
4.2.3.1.1.1. Demonstrate management support for data protection legislation
4.2.4. 2.4 Information risks and data protection impact assessments
4.2.4.1. Does your business manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively?
4.2.4.1.1. Possible subtasks
4.2.4.1.1.1. Establish policies and procedures to manage information risks
4.2.5. 2.5 Data Protection by Design
4.2.5.1. Has your business implemented appropriate technical and organisational measures to integrate data protection into your processing activities?
4.2.5.1.1. Possible subtasks
4.2.5.1.1.1. Implement appropriate measures to integrate data protection into processing activities
4.2.6. 2.6 Training and Awareness
4.2.6.1. Does your business provide data protection awareness training for all staff?
4.2.6.1.1. Possible subtasks
4.2.6.1.1.1. Provide training to staff
4.2.7. 2.7 The use of sub-processors
4.2.7.1. Has your business sought prior written authorisation from the data controller before engaging the services of a sub-processor
4.2.7.1.1. Possible subtasks
4.2.7.1.1.1. Seek written authorisation
4.2.8. 2.8 Operational Base
4.2.8.1. If your business operates outside the EU, have you appointed a representative within the EU in writing?
4.2.8.1.1. Possible subtasks
4.2.8.1.1.1. Appoint a representative within the EU
4.2.9. 2.9 Breach Notification
4.2.9.1. Has your business effective processes to identify, report, manage and resolve any personal data breaches?
4.2.9.1.1. Possible subtasks
4.2.9.1.1.1. Implement processes to identify, report, manage and resolve any personal data breaches
4.3. Step 3: Data Security
4.3.1. 3.1 Right of Access
4.3.1.1. Has your business a process to respond to a data controllers request for information (following an individuals’ request to access their personal data)?
4.3.1.1.1. Possible subtasks
4.3.1.1.1.1. Implement subject access request process
4.3.1.1.1.2. Provide training to staff
4.3.2. 3.2 Right to rectification and data quality
4.3.2.1. Has your business a process that ensures that the personal data you hold remains accurate and up to date?
4.3.2.1.1. Possible subtasks
4.3.2.1.1.1. Implement processes to maintain data accuracy
4.3.3. 3.3 Right to erasure including retention and disposal
4.3.3.1. Has your business a process to routinely and securely dispose of personal data that is no longer required in line with agreed timescales as stated within your contract with the data controller?
4.3.3.1.1. Possible subtasks
4.3.3.1.1.1. Implement processes for secure disposal of personal data
4.3.4. 3.4 Right to restrict processing
4.3.4.1. Has your business procedures to respond to a data controllers’ request to supress the processing of specific personal data?
4.3.4.1.1. Possible subtasks
4.3.4.1.1.1. Implement processes to restrict processing of personal data
4.4. 3.5 Right of data portability
4.4.1. Has your business a process to respond to a request from the data controller for the supply of the personal data you process in an electronic format?
4.4.1.1. Possible subtasks
4.4.1.1.1. Implement process to respond to a request from the data controller for supply of personal data in an electronic format
4.5. Step 4 Data Security
4.5.1. Has your business an information security policy supported by appropriate security measures?
4.5.1.1. Possible subtasks
4.5.1.1.1. Develop, implement and communicate an information security policy
