With the recent passing of the GDPR deadline, it’s now critical that in the event of a regulatory investigation, your organisation can demonstrate that it’s taken reasonable steps to take privacy seriously – and ultimately comply. Taking immediate action is important as our recent GDPR survey reveals that 58% of respondents are still not totally confident they can demonstrate compliance. To ensure successful outcomes, here are some key, practical questions that must considered as a matter of urgency
Can we ensure a swift response to a data breach?
Our research indicates that there is still work to be done for organisations involving effectively responding to a data breach – with 52% of respondents still not totally confident of being able to achieve this within the time frame. To ensure that a response process to a data breach is flawless, your organisation must undertake practice sessions so everyone knows what is expected of them. This will equip them with the means to alert the relevant authorities – within 72 hours.
Is your GDPR specialist impartial?
For those organisations employing over 250 staff, ideally a person will already have been made GDPR accountable as the data protection officer. Clearly they will possess a significant understanding of both the business and complexities of the data regulations – but they must also operate independently within the business. Therefore, it’s critical that they don’t have any other responsibilities that may result in a conflict of interest.
Have your staff received a Data Privacy Notice?
Remember that employees count too under GDPR – so all staff must receive a ‘Data Privacy Notice’ advising them that their personal data will be processed by the company under ‘legitimate interest’. Explain in simple language which personal data will be processed, the reasons and timeframe for doing so, what rights they have and who they should contact if they have concerns. Also, outline what happens if they leave the organisation and who else this personal data will be shared with.
Have you generated enterprise-wide GDPR awareness?
Everyone within an organisation needs to know what the regulation means for them. This means establishing which areas of the business fall within the scope of GDPR, by identifying, assessing and mitigating privacy risks with data processing activities. For larger organisations, territories and jurisdictions must be looked at too – as well as standards and management systems that may be affected or could positively contribute to GDPR compliance.
Another task is to establish from the IT team if there are any imminent projects that involve personal data – as these will be candidates for privacy by design. This is critical as, privacy by design in a service or product, is taken into account, not only at the point of delivery, but also from a product’s inception.
Can you identify data across the enterprise?
Our survey also indicated that there remains a lack of awareness across organisations of where their data is stored internally. Typically, vast amounts of data is held in all sorts of places, so you must establish which types are held, where it comes from and the lawful basis for processing it. There are special categories of data that may invite stricter processing rules, such as getting explicit consent. Once all data has been sought out – it must be clearly documented with when, how, and why it was obtained; what is going to be done with it and how long its will be kept.
Are you creating and improving key policies and processes?
Your organisation is required to record personal data processing activities including, but not limited to, the categories of data being processed, the categories of recipients of the data and time limits for keeping the data. Each business also needs a privacy notice, a data protection policy and to update or review contracts with employees and suppliers – to ensure they are compliant.
These policies should explain what personal data is and why it’s important to keep it secure and protected. Everyone should be clear on what they can and cannot do with that data and must understand the consequences of non-compliance.
The rules around consent are clear: it must be freely given by the individuals; the information must be unambiguous, specific and with no jargon, and consent must be given affirmatively. Transparency is paramount: organisations must be open and honest with the people who provide their data about what is being collected, why it’s wanted, how it will be used and how it will be cared for – and that withdrawal of their consent is possible at any time.
To address people’s rights, requires more comprehensive outlines on how their data should be handled. Key changes include the ‘right of access’, which have expanded considerably and are required to be free of charge. Additionally, the ‘right to be forgotten’ has also been extended, with individuals now able to be ‘forgotten’ when they no longer want to have a relationship with that brand. This means that organisations should think about what processes are needed to accomplish this.
Our recent research across UK organisations indicates that there’s still much work to do – in terms GDPR planning, data discovery, and up-skilling more dedicated staff, so they’re equipped to deal with the demands of this complex compliance process. Ultimately, to ensure successful outcomes, organisations must have the correct systems and tools in place so that data can be easily accessed and properly protected too.