- Can you please suggest what would be the best way to start with that?
- What information do we need to include in our Inventory?
- How much time do you think it will take to implement the basics?
- Is there a list of documents which are mandatory?
- Do you think we need to have a DPO?
Assign topic to the user
1. We are a small company and we have just now stated working on our compliance program.Can you please suggest what would be the best way to start with that?
The best way to start is to do an internal assessment and determine which are the areas you need to address first. I suggest to use this EU GDPR Readiness Assessment Tool (https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/) to get an idea of where you are currently standing.
2. What information do we need to include in our Inventory?
The information to be included in the Inventory of processing activities is described in art. 30 of the GDPR. You can find a readily available template for such an inventory as a part of our GDPR Data Mapping & DPIA Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/)
3. How much time do you think it will take to implement the basics?
You can use this EU GDPR Compliance Duration Calculator (https://advisera.com/eugdpracademy/free-tools/) to get an estimate on the time needed to become compliant.
4. Is there a list of documents which are mandatory?
You can find on our website at https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ a list of documents you can download. The mandatory documents are marked in the list.
5. Do you think we need to have a DPO?
This depends on your activities. You need to appoint a DPO if(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR.
Comment as guest or Sign in
Nov 12, 2019