So, your compliance officer has had data protection compliance as one of his objectives since the year dot. He's bound to be all over GDPR. You definitely have it covered, right?
With the impending introduction of GDPR, data protection compliance can no longer be the responsibility of just one person in your organisation, or a matter of marginal concern. Everyone in the business needs to understand GDPR, what it is and the importance of putting data privacy at the heart of your policies, processes and practices.
This means that:
- the directors, or others responsible for the management of your business, need to have GDPR firmly on their agenda. The widely-publicised penalties for breach of the GDPR and the equivalent legislation being introduced in other non-EU countries (including the Channel Islands) are designed to make data protection an issue for those at the highest level of the organisation
- public authorities, and private sector businesses carrying on high risk processing, must appoint an appropriately qualified and independent data protection officer who will be responsible for overseeing data protection compliance. The data protection officer will need to keep up to date with developments, report directly to management on a regular basis, and liaise with the regulator to the extent required. Other organisations who are not mandatorily obliged to appoint a data protection officer should also consider doing so as a matter of good practice
- a framework of accountability should be introduced so that all project and team leaders at every level of the business are given responsibility for ensuring compliance with the processes and procedures being adopted in line with GDPR
- regular training should be given to all personnel so that they understand the key requirements of GDPR, what their obligations are and why this is so important to the business
Importantly, you also need to look outside your organisation, to your suppliers and others who will process the personal data you control, to ensure they will comply with the GDPR from May 2018. It is your responsibility as the data controller to exercise a high duty of care in selecting these data processors. Start the discussions now to find out what they are doing to prepare.
Being able to comply with the GDPR by May 2018 requires preparation. If you have not yet started preparing, it is imperative that you do so now.
First, you need to understand the life cycle of all categories of data within your business. This means collaborating with the business leads across your organisation (such as the head of your HR, IT and Business Development teams), to identify:
- the entry point: what personal data you collect, where and who it comes from, how it comes into your organisation and why you are receiving it
- the process: where the data goes and what happens to it while it is in your organisation – where and how is it stored, who has access to it and why (is anything superfluous)?
- the inputs: what additional data is added from internal and external sources to the data you receive, who does it and why? Is any of this additional data inferred through profiling or similar means?
- the outputs: what will be produced with the data in terms of reports and other outputs?
- the exit point: when and how is the data deleted or exported from the organisation? If it is exported to a third party – who are they, what is the basis for the data being exported, and how and why will the third party process it?
Once you have mapped this information:
- you will be able to start to identify what has to change to enable you to comply with the GDPR
- you should document and keep the results to demonstrate what you have done to collate the information needed to underpin the development of your new data governance strategy.