The General Data Protection Regulation (GDPR) came into our lives like a tornado. It swept through our business processes and spat us out. Well, that is certainly how it felt at the time.
Now, almost a year on, where do we stand?
Has your organisation recovered enough to take a breather or are you still wondering what a DPIA is and do you really need to take consent from customers you’ve had for ten years?
By February of this year, over 59,000 organisations had made a data breach notification to their local authorities. Around 10,600 of those were from UK companies. The GDPR is not going away and we have to make sure we deal with it efficiently and effectively.
With this in mind, as we move into the second year of being under the GDPR hood, what sort of things do we need to re-address or keep an eye on?
Keeping Up with the GDPR
There are a few housekeeping points you need to keep on top of to maintain compliance with GDPR requirements. The main ones include:
GDPR requirements refresher course
It is always useful to refresh your knowledge around what the requirements of GDPR actually are. Even if you have a dedicated Data Protection Officer (DPO) who has the job of keeping your organisation in line with the GDPR, your staff may have forgotten what it is all about. Staff GDPR refresher course training helps to keep your staff focused on the importance of data privacy. These refresher courses are particularly important for staff who handle data, such as HR, marketing, IT, and sales.
Reviewing your processes and suppliers
Any update that fundamentally changes the data processing of your organisation needs to be checked for GDPR compliance. To recap:
- Review your data processing procedure
- Check your data capture and any new data brought under your control. This includes any special category data under the GDPR which covers areas such as trade union membership, biometrics, health data.
- Review your consent process a year on – did you capture the consents you were supposed to? If you manage consents using a basis of ‘legitimate interest’ have you carried out a Legitimate Interest Assessment (LIA) to show compliance?
- Have you changed suppliers -added or removed vendors from your supply list? If so, make sure you have covered the GDPR requirements to ensure they process any data you collect within the expectations of the regulation
A security policy is not a static entity. It is only as good as the security and data protection landscape that it represents. Review your security policy to see if you need to update any areas, especially around data protection regulations like GDPR. The review you do that looks at processes, collection, and suppliers, will feed into this task.
Where you do find gaps in your policy, plug them with updated information and procedures. And, don’t forget to make sure that all staff, from C-Level down, know the policy has been updated. You may also require policy training to help with implementation of any new processes.
Review and update your DPIA
A Data Privacy Impact Assessment (DPIA) is a process carried out by a suitably qualified individual or firm to look at your processes and procedures to see if data privacy is impacted. The assessment will look to solutions to solve any issues the DPIA finds. A DPIA is a requirement of the UK’s Data Protection Act (DPA) and GDPR. The UK’s Information Commissioner’s Office (ICO) have guidance on how to perform a DPIA.
Keep on top of cyber threats
Being aware of security threats is an important aspect of modern business. The cyber-threat landscape is an ever-changing place as cybercriminals continuously up their game to keep us on our toes. Data privacy is an aspect of data security that is often impacted by cybercrime. Use regular security awareness training, such as online training videos, to keep staff aware of the daily risks to personal data of using email, mobile devices, etc. An aware staff member is a safer and more regulation complaint staff member.
Review your approach to compliance
Compliance, including regulations that involve data protection, has become an everyday part of business life. But the compliance landscape, including the approach to policing and enforcing regulations, can change. This can, in turn, affect how you approach regulatory compliance in your organisation. Keep a watchful eye on the ICO’s Regulatory Action Policy document which sets out what powers the ICO has and how they apply them. Understanding this may help you to adjust the way you approach your own compliance requirements.
The Carousel of Compliance
All of the above, demonstrates that keeping in the bounds of regulatory compliance and ensuring you meet the requirements of GDPR is not a one-off task. Regulatory frameworks on privacy and security matters are there to reflect the needs of our digital society. They themselves are not static – the GDPR is a result of the growing use of personal data in a connected world. The best way forward to minimise the upheaval of compliance is to get into a routine of regular review. Once you have this in place and done it a couple of times it will become easier. In the end, with fines as high as 4% of gross revenue or 20 million euros whichever is higher, getting your house in order and keeping it there is a worthwhile job.