As a CEO Do You Understand Your Organisation’s Privacy Obligations?


CEOs are responsible for meeting data privacy obligations which includes managing data risks and ensuring the strategy for data compliance is fit for purpose.

 Gravicus recommend taking a step back to approach data protection with a fresh approach rather than trying to do it the way you always have as its highly likely this will no longer be suitable once GDPR comes into play.

Ask yourself these 12 key questions to develop a business specific data management plan to help your organisation get GDPR ready: 

  1. Obligations - Do I understand my organisation’s privacy obligations, risks and is our data compliance strategy fit for purpose?
  2. Impact - Do I understand the impact GDPR will have on the organisation and are all Data Processors (DPs) fully educated to understand their responsibilities for fulfilling the requirements?
  3. Data Protection Impact Assessments (DPIAs) - Have we undertaken an initial DPIA as a starting point for GDPR, and are we undertaking these on a regular basis and/or as and when required?
  4. Decision-making - Am I making sound decisions and plans regarding technology and business initiatives that include personally identifiable information (PII) e.g. customers, suppliers, employees…?
  5. Personally Identifiable Information (PII) - Do I have a clear view of what personal information we process, who is processing it, where it is kept and the purpose for which the data is used?
  6. Increased rights for data subjects - Is there an appreciation of the fact that data subjects/individuals will have increased rights and can make requests against the data we hold on them?
  7. Consents - Do we have the required consents from data subjects/individuals to hold and process their data?
  8. Transparency - Are we clear and transparent with our privacy notices, contracts etc?
  9. Data management - Do I have data correction, withdrawal, transfer, processing and compensation measures and processes in place that are fully transparent internally and externally?
  10. Suppliers - Do I monitor internal and third-party supplier data compliance, privacy and security to protect my organisation?
  11. Processes - Am I confident that my organisation has the processes in place to foresee a breach and manage this in accordance with GDPR requirements?
  12. Resources - Do I need a Data Protection Officer (DPO)?


Sign-up to Gravicus Osprey to gain access to data management tools and resources.


Telephone: 0203 858 0636

Email:  info@  



Simple and smart data management