Given the impending deadline, everyone is concerned about attaining and demonstrating compliance. But organisations mustn’t lose sight of the fact that 25 May 2018 is the starting line not the finishing line. There’s no deadline for compliance because it’s not a one-time event. Accountability and the ability to demonstrate compliance is an ongoing effort that needs to become part of every company’s practice and culture. To follow is an overview of what needs to be monitored on an ongoing basis.
The accountability principle requires organisations to demonstrate compliance with the principles of personal data protection. So, all processes related to this need to be proactively maintained and demonstrable. In some cases it’ll be processes that have to be maintained, such as responding to data subject requests or reporting data breaches in the required times.
In other cases it’s actual documentation like maintaining a record of processing purposes or a record of processor or data recipients. A governance structure, including policies, notices and best practices such as DPIAs (where needed), needs to be recorded. Documentation and audit trails of reviews and implementations of technical and organisational measures will also go a long way towards demonstrating accountability.
Data Protection by design and by default
From the outset, when a new product or service is being developed, an analysis must be done on the processing of personal data to ensure that this product or service will comply with the organisation’s policies and that the appropriate lawful basis and data retention periods are considered.
A structured review and documentation of this process should be done in what is considered a data protection impact assessment (DPIA). The DPIA will help identify whether there are risks related to privacy and data protection so that appropriate measures to mitigate these risks can be identified. If the new product or service poses high risks the organisation must, at that point, consult with the supervisory authority to ensure the product or service is developed in a way they deem adequate.
This procedure is what is referred to as ‘Data Protection by Design and by Default’ in the GDPR. All employees and consultants need to be aware of this and be trained in it and even re-educated on an annual basis to ensure it becomes part of the organisation’s practice and culture.
Employee training as part of data protection by default is only one part of an organisation’s responsibility to employees. The relationship between employees and data protection and their data rights is one of the most overlooked aspects of the GDPR. When new employees are taken on they need to be trained in the organisation’s policies and the GDPR. When employees leave the organisation, the non-essential data about them needs to be deleted.
As data protection policies change over time the organisation will need to make sure employees are made aware of the changes and how this affects their responsibilities. If the HR department makes any changes to personal data it collects on employees or employee monitoring processes or if it changes the legal justification or the length of time it retains data on employees, then the employees need to be informed of these changes.
Over time organisations will inevitably change vendors, add new ones and reduce or expand the relationship with an existing processor. As this happens it will be necessary to ensure that, effective 25 May 2018, existing contracts/agreements are modified and that new contracts/agreements are put in place.
Data subject access requests
As EU data subjects become more and more aware of their new rights they’ll likely begin to exercise those rights. An organisation must make sure it responds to access requests within the required time frame. Failure to do so could lead to data subjects lodging complaints with their data protection authority, which will create negative visibility for the organisation and could lead to sanctions or fines.
Data breaches incident management and reporting
A breach log needs to be maintained. Breaches must be reported to the relevant authority within the required time frame. The logs should also include remediation efforts, so you’re able to demonstrate what you’ve done to reduce the likelihood of a similar breach occurring again. The learnings should then be fed back into your DPIA processes and your security reviews.
As an organisation develops new products or services, retires old ones or implements new processes, it’s likely to process different types of personal data from different data subject types. This should be identified in the DPIA and then fed back into the data map, so that the map always represents the current data flows of an organisation and not a relic.
This data mapping review should be done at regular intervals so that the record of processing purposes, which is a documentary requirement of the GDPR, is always correct and up to date. It shouldn’t stop there though because any revision in the data map will have an impact on privacy notices and governance documents, which will in turn require reviews of data security and data management practices.
If you’re looking for a system that will not only help you create the programme but also document every step along the way, look no further than GDPR365.
GDPR365 enables you to easily get your compliance documentation in place, train your employees and manage your direct marketing, HR and IT services. GDPR365 manages and stores all contract documents with your processors and for sharing agreements. GDPR365 provides full workflows to manage data subject access requests and breaches in the security of your personal data.
1st Floor | 10/11 Exchange Place