What do organisations have to do – and how should they demonstrate that?

The very basic points of what needs to be covered to comply with the GDPR are:

Clarity on data held:

  • Understanding of the data they hold
  • What personally identifiable data is held, where, how and for how long
  • Where is data passed to and from – and how is this managed
  • What is the reason for holding the data

Controls and notifications

  • Protecting personal data using appropriate security
  • Notify authorities of personal data breaches
  • Obtain appropriate consents for processing data - and evidence of those consents
  • Keep records detailing data processing

Transparent policies

  • Provide clear notice of data collection
  • Outline processing purposes and use cases
  • Updated data policies
  • Define data retention and deletion policies
  • Ensure Data Access requests can be processed in the required timescales

Organisational capabilities and trained staff

  • Train privacy personnel and employees
  • Employ a Data Protection Officer (if required)
  • Create and manage compliant vendor contracts

That’s a pretty big list already but it’s just a list and there is much to think about for each item. The ICO have published some really helpful checklists with separate versions for Data Controllers and Data processors at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

It’s really worth going through these and making sure you understand what you are doing in each area.

Key to this though is documentation of your approaches and measures and retaining records of the policies, procedures, training and assessments in case of challenge from regulators or auditors. As discussed in other sections of this blog the potential penalties are now so severe as to be threatening to the survival of many organisations and thus of interest to a wide audience.

© Cantata Lim