The GDPR came into effect on 25th May 2018. Some people have likened it to the millennium bug but, unlike Y2K, GDPR is here to stay. The sheer size of possible fine and the legal obligation of data protection by design and default, mean that it absolutely has to be taken seriously on an ongoing basis. Read on for our 6 tips for living with the GDPR.
WHY CAN’T WE JUST FORGET ALL ABOUT GDPR?
So here we are, now well past the 25th May 2018. We’ve all survived the bombardment of emails asking us to opt back in to umpteen lists for companies we’ve never even heard of. Life hasn’t really changed very much, so the temptation is to just sit back and relax. However, GDPR is here to stay and, if anything, it will become more significant as time goes on and our understanding increases. Guidance is still being produced by the ICO and once cases start to be brought against those who have not complied, we will be better placed to better interpret the level of effort required to be and remain compliant. The ICO himself was quoted as saying “…people still need to be taking steps to implement the responsibilities long weeks, months and years after [the 25th May]” (Third Sector Magazine)
The GDPR mandated data protection by design and default (or privacy by design reinvented) and this presents an inherent obligation for organisations to be proactive about data protection and to embed it into everything they do, to stay on top of threats, to monitor data protection performance, to make sure data is secure from cradle to grave and to continuously improve.
KEY INITIATIVES TO SUPPORT ONGOING COMPLIANCE
We recommend the following 6 tips to support ongoing GDPR compliance:
Implement supporting governance structures
- Make someone responsible for data protection within your organisation to support rapid response to breaches, SARs, internal queries and to keep on top of change
- Consider hiring a DPO as-a-service if you don’t have one in house – let someone else do the leg work and demonstrate that you are taking GDPR seriously at the same time
- Monitor GDPR risk at board level to ensure it has the visibility and route to investment in improvement that it warrants
Foster a culture of awareness
- Push GDPR from the top to give it visibility and priority
- Involve employees in GDPR from the outset to develop understanding, buy-in and ownership
- Provide regular training refreshers, ideally contextualised to aid understanding
- Reinforce the value placed on data protection by sharing relevant good news stories or initiatives
- Reinforce the value placed on good data management practices through appraisal objectives, job descriptions and bonus structures
Support changing business needs
- Leverage existing change governance structures, e.g. change control / project control boards and associated artefacts to support proactive early identification of change impacting on personal data, and to ensure that plans for data protection are developed from the outset
- Put processes in place to ensure your Persona Data Inventory (PDI) is reviewed and updated regularly – this is your baseline for identifying change which may necessitate further risk assessment
- Put in place a repeatable Data Protection Impact Assessment process
- Test that business / technology change has successfully met your data protection policies and requirements
Stay on top of changes in the wider business environment
- Consider adopting formal information security standards, e.g. ISO 27001
- Keep up-to-date with current external data protection threats / opportunities, so that you can manage them proactively, e.g. software security patches
- Keep up-to-date with changes your third parties make to the way that they process personal data on your behalf and on their threat levels
Monitor, test and measure the effectiveness of your privacy regime and support improvement
- Understand the level of security you currently have in place – consider a Cyber Security Maturity Assessment to help you understand where you are now and what practical measures you could take to improve
- Test your data protection security measures on a regular and ad hoc basis (both physical and digital)
- Monitor your network / systems for intrusion detection
- Review your PDI regularly to ensure it is still up-to-date – the frequency should be determined by the level and pace of change that is normal within your organisation
- Conduct spot checks / audits of your data protection procedures on a regular basis, e.g. is your retention policy being applied?
- Regularly review how well your SAR process / breach process is coping
- Monitor complaints made relating to personal data – is there commonality to suggest you haven’t correctly interpreted your data subject’s expectations in relation to how you are processing their data?
- Test the effectiveness of your training and awareness programmes, e.g. conduct pop-up quizzes
- Audit third parties, processing special category or particularly sensitive data on your behalf, from time-to-time
- Re-run a benchmarking exercise on an annual basis to provide proof of the level of improvement made – Purple can provide a GDPR Maturity Assessment to achieve this
- As it says on the tin, if you don’t keep records to demonstrate your compliance with GDPR and the reasoning for decisions, then you have no proof
Finally, to wrap up, GDPR isn’t going anywhere – if anything it is likely to become more relevant or perhaps more understood as more guidance is released, as technology continues to develop around Artificial Intelligence, as cyber security challenges increase, and as cases appear before the ICO.
Data protection by design and default places an inherent obligation on us to be proactive, keep up-to-date, monitor and continuously improve our data protection regime. The 6 tips above will help organisations to meet these obligations, but they do assume a base level of compliance already exists in your organisation. If this isn’t the case, get in touch, we can help with our GDPR Maturity Assessment and Remedial Support services.