The GDPR (General Data Protection Regulation) hasn’t exactly crept up unnoticed over the past year or so, but it’s still caught many organisations by surprise.
Some mistakenly thought that it would only affect large organisations, others doubted that the much-discussed massive fines would ever be issued, and a few thought that Brexit would save them from the EU regulation.
But none of those things are true. Organisations of all sizes have been put under regulatory pressure, and the ICO (Information Commissioner’s Office) has already stated its intention to issue fines totalling £282 million against British Airways and Marriott International.
Meanwhile, although the specifics of Brexit are still unclear, one thing is certain: whatever happens, UK-based organisations will be subject to the GDPR’s requirements. That’s because the government adopted a UK-specific version of the Regulation’s requirements as part of the DPA (Data Protection Act) 2018.
If you’re overwhelmed about GDPR compliance or find most implementation advice too technical and complex, don’t worry. IT Governance has created a simple guide to help you understand how to achieve regulatory compliance and avoid disciplinary action.
The first thing to remember is that the ICO will show leniency to organisations that can demonstrate that they are making efforts to achieve compliance. That means that simply beginning to take steps will help your standing should you come under investigation.
But exactly how should you proceed? Let’s take a look.
-
Assess your current data protection measures
The first thing you should do is work out the extent to which you’re already complying with the GDPR.
You’re probably meeting some of the Regulation’s requirements already, albeit in an unfocused way, so the scale of the task won’t be quite as big as you might have feared.
There will, of course, be many areas where you aren’t compliant. You can determine these by carrying out a gap analysis. This process identifies where your existing processes fall short of the Regulation’s requirements and helps you understand what you need to do to bring them up to standard.
-
Identify and minimise risks that result from your data processing
The GDPR requires you to implement “appropriate technical and organisational measures” to ensure the security and privacy of the personal data your organisation processes.
To determine what’s appropriate, you should conduct a risk assessment. Only by evaluating the threats you face and your ability to deal with them can you establish a level of security that can adequately protect your organisation’s information assets in line with the GDPR – while keeping your expenditure within budget.
-
Educate and empower your employees to make better decisions
The GDPR requires every employee with permanent or regular access to personal data to receive appropriate data protection training.
Beyond this requirement, it’s important to recognise that information security is a responsibility for every employee, regardless of their level of access to personal data.
As well as ensuring that all your staff have a good understanding of the GDPR and information security, you’ll benefit from having a few individuals with more in-depth knowledge.
Some organisations will be required to appoint a DPO (data protection officer), who provides an independent assessment of the organisation’s GDPR compliance activities. Organisations should also encourage managers and those closely involved with data processing to take advanced GDPR training courses.
-
Develop controls, policies and processes
GDPR compliance is too complex to maintain without a formal structure – especially as the Regulation places such a strong emphasis on documentation. Article 30, for example, requires data controllers to keep written records of data processing activities, including:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data; and
- The categories of recipients to whom the personal data have been or will be disclosed.
It’s also a good idea to keep written records of the lawful basis for processing and data processor agreements.
-
Implement a DPIA
DPIAs (data protection impact assessments) are a form of risk assessment that identify any compliance issues that might arise as a result of data processing.
They are a useful accountability tool when it comes to GDPR compliance, as the results help you demonstrate that you have taken the appropriate technical and organisational measures required by the Regulation.
It’s particularly important to carry out a DPIA when introducing new processes, systems or technologies for processing personal data.
-
Manage and respond to DSARs
Article 15 of the GDPR grants data subjects the right to access their personal data from data controllers so that they can understand – and check the lawfulness of – how it is processed.
A request to access personal data is known as a DSAR (data subject access request), sometimes referred to as a SAR.
Access requests are not new, but the GDPR introduced changes that make responding to them more challenging.
For example, organisations may no longer charge a fee, except in certain circumstances, and now have less time to respond – one calendar month rather than 40 days.
DSARs do not have to be made in writing, and can be made to any member of staff, so it’s essential to ensure that everyone in your organisation can recognise a DSAR when they receive one. You should also have a proper procedure in place that every staff member can follow.
-
Plan, monitor and maintain a concrete GDPR compliance programme
GDPR compliance is ongoing, not a one-off task. Merely having the right procedures in place does not mean you are – and will remain – compliant.
You need to regularly monitor and audit your compliance. This means documenting your processes and procedures, and regularly checking them to ensure they’re still fit for purpose, in line with the Regulation’s accountability principle.
Looking for more advice?
This blog is an excerpt from our new green paper, 7 Steps to Highly Effective GDPR Compliance.
Download this free guide for a more detailed breakdown of how to improve your GDPR compliance. It includes recommendations for tools and services you can use to meet your compliance requirements.