How Can I demonstrate that My Organisation is GDPR Compliant?

GDPR happened in May 2018, it overhauled how businesses process and handle data. Although this was almost 2 years ago there are still many organisations who don't know if they are compliant or just simply don't know how to show they are compliant.

What now? How do I know that my organisation is GDPR Compliant?

First of all, compliance is not a tick box exercise, it is ongoing, a journey.

One of the defining principles of GDPR is ACCOUNTABILITY, this specifically requires you to take responsibility for complying with the principles, and to have appropriate processes and records in place to demonstrate that you comply. The GDPR does provide organisations with a set of tools to help demonstrate compliance and accountability.

These include:

DPO (Data Protection Officer): for the majority this is at the discretion of the organisation, however the GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities such as, your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

DPIA (Data Protection Impact Assessment): a DPIA will help you identify and minimise the data protection risks of a project. It is considered good practice to do a DPIA for any other major project that requires the processing of personal data.

Codes of Conduct: voluntary accountability tools, enabling sectors to own and resolve key data protection challenges in their sector with assurance from ICO that the code, and its monitoring, is appropriate. They can help you to reflect on your processing activities and ensure you follow rules designed for your sector to achieve good practice. They are written by an organisation or association representing a sector in language that the sector understands and enable sectors to solve these challenges.

The EDPB agreed UK monitoring body accreditation requirements, in December 2019 and the ICO are now able to approve both codes of conduct and code monitoring bodies. We welcome enquiries from associations and other bodies representing categories or controllers or processors. For example, an association/consortium of associations, trade or representative associations, academic associations or interest groups.[1]

Adhering to codes of conduct is optional and therefore up to the organisation to decide if they are to use this route.

What will the regulator look for?

The regulator will look for proof that the board & senior management are aware of the GDPR, that they are aware of the personal data that is held within the organisation and the risks involved. They want to know that the board have assessed the scope of GDPR and how it will affect them.

With regards to the personal data that the organisation holds senior management need to know:

What personal data is being held

Why it is being held – the purpose

How was the data obtained?

What is the legal basis for processing?

Is it transferred? If so where and by what means

 Are 3rd parties involved in the processing of the data?

Who has access to the data?

To find the answers to all the above and more the organisation needs to perform a DATA AUDIT. From the results of the data audit it can be assessed which controls need to be put in place to ensure the data safety and usability. Data is an asset and needs to be accessible and used effectively but it always needs to be kept safe. The controls that are put in place will depend on the risk profile that the organisation has accepted.

GDPR is a risk based regulatory framework, an organisation must choose the right controls to fit both their needs and their accepted risk profile. They must be able to justify to the regulator what they have / have not done should the need arise.

In order to achieve and continue GDPR compliance:

1.   Obtain board level support, this is especially important for budget agreement and to ensure company-wide buy in to the project. The board need to understand the impact of GDPR compliance.

2.   Plan your project, appoint a project manager to keep the project on track. Decide on the scope of the project and establish compliance priorities.

3.   Conduct a GAP ANALYSIS, this will help you highlight the gaps within your current compliance programme, by considering current policies, processes and procedures.

4.   Carry out a RISK ASSESSMENT, the GDPR encourages organisations to take a risk-based approach to data processing. Use the risk assessment to identify the risks and determine ways to control or mitigate those risks.

5.   Conduct a DATA AUDIT, an organisation needs to know the data that is processes. From the results of the data audit create your records of processing as required by Article 30 GDPR.

6.   Develop compliant POLICIES and PROCEDURES, having established your compliance gaps, assess your existing policy and procedures and ensure that they are in line with the requirements of GDPR. Where necessary develop new ones.

7.   SECURING Personal Data, Article 32 GDPR requires an organisation to implement ‘appropriate technical and organisational methods’, this means the need for an Information Security Policy, using data encryption or pseudonymisation where necessary plus implementing basic controls. Every organisation should have a clear policy and procedure to deal with a DATA BREACH should the need arise.

8.   Training is mentioned in Articles 39, 40, 40 GDPR. Training of staff should be a key component of your GDPR compliance programme. It should be ongoing and include all staff who have access to and responsibility for personal data. Staff need to be made aware of the importance of data protection and the policies and procedures that are in place pertaining to the protection of personal data.

To BREXIT and Beyond!