Get an overview of the data protection legislation and the principles for processing mentioned above.
Identify and classify the different categories of data that you plan to process. Identify in particular if you plan to process sensitive personal data.
Define a clear purpose for why you need to process personal data. Processing one certain category of personal data can have several different purposes. According to GDPR, the purpose must be specific and explicit.
You must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing outlined in GDPR article 6. Processing sensitive personal data triggers even more requirements, thus separate conditions outlined in article 9 in the GDPR applies.
Individuals have the right to be informed about the collection and use of their personal data. You must provide individuals with information on how their personal data is processed, purposes for processing, retention periods, and who the data will be shared with.
Data protection by design and default
Appropriate technical and organisational measures to protect data shall be implemented from the design state through the products lifecycle.
Data processing agreement
Any use of a processor to process personal data on your behalf requires a need to enter into a data protection agreement, according to the GDPR.
Data protection impact assessment (DPIA)
A DPIA must be conducted if processing of personal data is likely to result in a high risk to individuals.
You need to be able to show that you have implemented GDPR compliant policies and adhered to them. Internal audits can be a helpful tool to evaluate your organization's GDPR compliance.
You need to be able to show that you have mechanismen in place to document that you continuously evaluate your organization's GDPR compliance and efforts.
Prepare for an incident and how you as a controller shall comply with the requirements to manage privacy incidents towards authorities and individuals according to article 33 and 34 in the GDPR.
Document your processing activities
You must maintain records of several activities, such as processing purposes, data sharing and retention according to the GDPR article 30.