This is not an exhaustive list of considerations, but rather key aspects of obligations under GDPR.

• Review whether you have the proper consent and disclosures in place when you collect and process information.
• Conduct Data Protection Impact Assessments (DPIA).
• Ensure that your network security is designed and applied in a way that considers the sensitivity and nature of information processed.
• Ensure the proper data protection processes and policies are in place. For example:
  • Physical data security controls.
  • Data protection training for employees.
  • A proper data security incident response plan.
  • Protocols are in place for third-party vendors such as cloud service providers, sub-contractors, etc.
• Internal processes to process individuals’ GDPR data requests.
• A GDPR compliant vendor management program
• Ensure your incident response plan is GDPR compliant.