Preparing for GDPR self-attestation

Estimated reading: 4 minutes 56 views

Preparing for GDPR

Preparing for a self-attestation of GDPR is made easy with TrustCloud! The preparation process is the same as when preparing to meet any other compliance requirements.
Please ensure that you’ve read the “GDPR – Overview and Guides” article to understand the basic concepts of this standard.

Here is the full GDPR regulation at GDPR.EU.

The people

After you’ve made the decision to comply with  GDPR, here’s something to keep in mind when drafting your preparation strategy. Create a task force of employees from the quality and IT teams, with support from team members familiar enough with your technical systems. Having an executive or manager who owns this process with the team is also beneficial.

The GDPR process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for an audit. You should account for a loss in productivity and ensure you are staffed accordingly.

The Process


The process can be broken down into the following nine steps:

  1. Step 1: Prepare for your GDPR project plan.
    This includes creating a project plan to implement GDPR, including the right stakeholders, and conducting a readiness assessment.
  2. Step 2: Define your Personal Data Policy and other documents.
    This includes creating an internal Data Protection Policy for personal data and other top-level policies like the Data Retention policy, etc. You can assign a Data Protection Officer to make decisions. and make sure the decision is documented, and communicate their name to the Supervisory Authority.
  3. Step 3: List your processing activities.
    List your processing activities and their mapping to legitimate purposes defined in the GDPR. Make sure your organization has published the necessary privacy notices for data subjects.
  4. Step 4: Define an approach to managing data subject rights.
    Data subjects can provide consent and request access to their information.
    Your organization needs to keep a record of data subject rights requests. Also, you need to define and implement data subject rights by establishing a legal basis for processing.
  5. Step 5: Implement a Data Protection Impact Assessment (DPIA).
    You need to conduct a DPIA when starting a new project or implementing a change to your information systems or a product.
  6. Step 6: Secure personal data transfers
    This includes analyzing what personal data is being transferred outside of your organization and when it is being transferred. You need to take the necessary legal and security measures to protect personal data if it is transferred outside of the organization.
  7. Step 7: Amend third-party contracts.
    You need to update any third-party contracts that include the processing of personal data to be compliant with the GDPR.
  8. Step 8: Ensure the security of personal and sensitive data.
    This includes implementing the necessary organizational and technical measures to protect the personal data of data subjects.
  9. Step 9: Define how to handle data breaches.
    You need to set up processes to identify and handle personal data breaches.
    If required, you need to notify the supervisory authority and data subjects, in the case of a personal data breach.

NOTE: After conducting a readiness assessment (if you have proper privacy protection in place), you may not need all the above to execute. In any case, make sure you have implemented all the relevant steps.

Prepare materials

In this step, create a list of controls and policies to adopt, gather required evidence and artifacts, document all necessary procedures, and provide adequate training to your team. To help you achieve this, TrustCloud’s TrustOps application automates much of this process and automatically maps your controls to the GDPR framework to assess your systems, policies, and procedures.

Complete an internal review, self-attest or call your auditor

Conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review analyzes your gaps against your level of GDPR (as well as other compliance standards such as HIPAA) and can be used as your self-assessment.

You can later find an external auditor to conduct a thorough audit of your GDPR compliance.

Adopt and maintain compliance with GDPR with TrustCloud so you can show customers and prospects that you’re serious about privacy. TrustCloud helps you achieve and maintain compliance with confidence as you grow.

Join the conversation