GDPR is not over

The 25th of May is not the finish line that many envisioned: GDPR is not over.  Elizabeth Denham, head of the ICO, describes GDPR compliance as an ongoing journey that requires continuous effort. She says that businesses “will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.”

We have summarised 5 key reasons for why GDPR isn’t over and what organisations need to do to ensure long-term compliance.

Technology doesn’t stand still

The information security landscape is constantly evolving. As hackers continuously find new and sophisticated ways to infiltrate information systems, the reality is that today’s robust security measures will not be sufficient to combat the threats of tomorrow.

Organisations will need to periodically evaluate and re-design their data protection controls to continue to achieve the required information security standards. Companies should regularly conduct GDPR assessments and test their defences to minimise any security vulnerabilities and cyber risks that may arise. This includes ensuring Data Protection Impact Assessments (DPIAs) are done for any new or modified processes that involve high-risk processing.

It’s not only about you

GDPR holds data controllers responsible for ensuring their processors are data-conscious and have the right technical and organisational measures in place.

Businesses wishing to remain compliant must therefore continue to guarantee that their new and existing suppliers are fit for purpose. Data protection needs to be permanently included in due diligence procedures and in standard agreements and contracts, and existing suppliers must be periodically monitored to ensure their measures continue to adequately maintain the integrity and security of the data.

Policies and procedures need to be up-to-date, adequate, and followed

An integral part of successful compliance with GDPR lies in ensuring that policies and procedures are in place to satisfy the required operational requirements, including how organisations gather data, how they process that data, how they keep it secure and how they destroy it.  

To maintain GDPR compliance on an operational level, businesses will need to regularly review their policies and procedures in line with the changes that occur in the organisation, monitor their effectiveness, and update them as necessary.

Compliance depends on employees

Making sure that everyone views data protection as something they are responsible for is key to ensuring the effectiveness of data protection measures.

Most companies will have already given their employees some form of training on GDPR. However, a one-off training module is insufficient: employees are likely to forget the training over time, and it will also need to be updated to reflect changes in the business, its policies and its procedures. As Elizabeth Denham has said, “Staff are your best defence and greatest potential weakness – regular and refresher training is a must.”

Data flows change

GDPR requires organisations to understand their entire data flows, identify their key elements and ensure processing is in accordance with the law. Many companies have conducted data-mapping exercises for this purpose. However, no business stands still: data flows and processing activities change over time. If businesses do not keep on top of these changes, gaps between GDPR’s requirements and their actual practices will inevitably arise.

Periodic monitoring and review of data flows is key for long-term compliance. It allows companies to spot any potential privacy issues or risks towards the confidentiality, integrity and availability of data. For companies with 250 or more employees, a regular review of data flows also ensures continued compliance with the requirement to document all their processing activities in their current situation.

Management commitment needs to be sustained

When all senior staff are committed to embedding data protection in their organisation, technical and organisational measures are much more effective. If senior management has mistaken GDPR compliance as a one-time thing, lower levels of the organisation will lack the continued engagement that is necessary for long-term compliance.

Conclusion

Companies who mistake GDPR compliance as a one-time thing are unlikely to remain compliant for long. Because no business stands still, new risks will continue to emerge and will go unnoticed unless data protection is a part of regular management. Companies should continue to monitor and review their organisational processes and practices to ensure they are still achieving GDPR standards.

Our Data Protection Framework can be used to verify the compliance of your existing systems and processes, identify any gaps and highlight areas that need to be strengthened.