With fewer than 200 days to go to May 25 2018, the GDPR clock is ticking ever more loudly. Protecting personal data is nothing new and has long been regarded as an important tenet of responsible business management. However, while the core principles of the General Data Protection Regulation are similar to those of the Data Protection Act, the obligations and practical application of the law require a more rigorous data management regime.
Much of what needs to be done now focuses on understanding the data organisations hold and strengthening current procedures around the processing of that information.
Accountability and governance are what most companies are paying attention to initially. Under the new legislation, businesses must be able to demonstrate that they comply with the new principles: do they know what personal data they hold? What is the purpose? Has consent been given? Is it accurate? Is it securely held?
GoodCorporation has been working with clients to help review and assess current data protection procedures using our Data Protection Framework. We have worked on risk mapping, policy and procedure reviews, staff awareness assessments as well as designing communication, training and monitoring programmes.
From the work that we have carried out to-date, we have identified ten key steps that are essential to robust GDPR compliance.
Demonstrating management commitment
Senior management must take the lead in making sure good data protection practices are embedded in their organisations. When all senior staff are engaged with and well informed about data protection, and don’t just consider it a matter for legal or for IT, cascading the policies and procedures down to the whole organisation will be much more effective.
One of the key new elements introduced by the GDPR is the concept of ensuring ‘privacy by design and default’. Assessing this throughout the lifecycle of new projects, processes or products, will be key in demonstrating commitment to the principle.
Maintaining a strong information security environment
Info-sec has been a priority for organisations for a long time now, and linking an organisation’s approach to security to its data protection approach will be key, particularly when implementing the required technical organisational measures.
Monitoring the legal environment
As information and guidance on data protection is continuously being published, monitoring the requirements and guidance available will need designated attention.
Implementing operational data practices
Strategy and senior messaging aside, the success of any GDPR implementation will be in ensuring that on an operational level, policies and procedures are in place to comply with the operational requirements, from how organisations gather data, the policies they have on processing and retaining that data, to how they destroy it.
Managing employees who handle data
On a day to day level, do your employees know what their responsibilities are around data protection? Making sure that everyone views data protection as something they are responsible for will be a key step in ensuring engagement with new data protection measures.
Controlling third party access to data
When you’re working with suppliers or other business partners, how much access to personal data are they given to perform their contract? Managing that access and ensuring that contracts are robust enough to allow spot checks on data handling will be key in ensuring that personal data is protected.
Handing requests from data subjects
Whether these are requests for details held about data subjects, or requests for erasure, it is important that all organisations have a policy in place that helps their entire workforce deal with these requests appropriately. Requests can arrive to any part of the business so only training the HR team won’t be sufficient.
Dealing with breaches
The requirement to report any breaches to the relevant data protection authority within 72 hours of becoming aware of them has been a point of contention with commentators. The ICO’s own guidance in its myth busting series should provide clarification to businesses on this point but organisations will need to make sure they have measures in place to allow for detection and reporting of any breaches.
Carrying out audits and reviews
To make sure the new policies and procedures that have been put in place are effective and adequate, it will be important to carry out reviews of the measures that are implemented.
Contact us for an assessment of your GDPR readiness.
Posted November 2017
Reviewing a law to make sure it is fit for purpose is clearly wise. Legislation can have unintended consequences, so checking that this is not the case makes perfect sense. However, the recent decision to review the Bribery Act seems…