GDPR compliance is a complex state to achieve. It is not something that you do once and then you are compliant. It is an ongoing process and entails many changes to an organisation and how it functions, not just in the IT area as many people think. GDPR compliance covers areas of consent management, direct marketing to existing and new clients, human resources management and employee information, as well as information use and security, staff training, access requests and breach management. In addition very few organisations will be 100% compliant 100% of the time, the real challenge is to be maintaining a program of compliance.So, when a client asks you, “Are you compliant with the GDPR regulations?” a simple YES or NO answer is not really possible.To answer the question, you give at least 5 answers. Here is how I suggest one answers the question.GDPR compliance requires an ongoing program to manage and maintain.GDPR compliance is not a once off event, it is a series of action required in order to conform with regulations, which you must review on a periodic basis to ensure that maximum compliance is attained. We have a program in place to manage these actions and tasks as well as review and rectify our compliance status where necessary.
Answer 1 – We manage our compliance within the main compliance areas of Consent, Marketing, Human Resources and Information use and security as follows:Consent management – We ensure we have a lawful basis for obtaining consent from people by ensuring they perform a clear affirming act, give consent freely, unambiguously and for specific purposes. We understand that consent can be withdrawn at any point. We review our compliance on a quarterly basis to ensure its ongoing. This is in line with Article 7 of the GDPR regulation.Marketing – We manage our marketing compliance in the three main areas of marketing, to existing clients, to prospective clients and in terms of profiling clients.We actively seek consent for all activities and comply with the GDPR guidelines for marketing activities.We review our compliance with the GDPR in terms of our marketing activities on a quarterly basis.Human Resources – We are constantly vigilant in our collection and management of the personal and sensitive personal information of employees as well as prospective employees. We manage the information in the following categories, recruitment information, employment records and employee health information using the GDPR as our guide. In addition where we monitor employees we perform a data protection impact assessment to justify the monitoring. All our employees are fully aware of what we do and how we manage the employees and we have a valid employee privacy notice. We review our compliance on a quarterly basis.Information use and security – We understand that information stored on IT infrastructure or moving between infrastructure is highly vulnerable. We ensure that we manage information in terms of retention and restriction, use of information technology, information quality and we have appropriate security controls. We use the GDPR as our guide along with other procedures such as ISO 270001. We review our security controls on a monthly basis and our other aspects of information use and security on a quarterly basis.
Answer 2 – We have relevant privacy notices and have a procedure for managing subject access requests. We also have policies in place covering a number of privacy requirements.We have mapped our usage of personal and sensitive personal information with all the relevant types of people we interact with, the reason we interact with them, the information both personal and sensitive (with further legal basis) we collect and use as well as where we process and store the information, including in house and external processor locations.We have policy and training documents available and communicated to our staff covering the areas of:
- Employee training
- Data Protection Policy
- Employee Privacy Notice
- CCTV Policy (where relevant)
- Acceptable use policy
- Information classification and labelling standard
- Information protection and handling policy
- Third country transfers
- And any others you may have…