8 Key Action Points for GDPR Compliance
General Data Protection Regulation (GDPR) has now been in force in the UK and Europe for a year. Last year, facing a hard deadline, many businesses were searching for a quick and easy way to ‘get compliant’ before 25th May, while believing that after the 26th they would never have to think about it again.
Unfortunately, GDPR is here to stay and the ever-increasing threat of data breaches and audits from the Information Commissioner’s Office (ICO) means compliance should never be far from your mind.
In the past year, Briefed have worked alongside many businesses throughout the UK in assisting them with data breach investigations before the ICO. Through our experience with dealing with the ICO we have devised a checklist for you with 8 key action points, to measure your annual GDPR compliance with the ICO guidelines and ensure you remain as compliant as possible for the future.
1. Have you carried out a GDPR audit?
Until you delve deeply into your organisation or business, you do not know where your GDPR risks lie, or where a data breach could occur. We recommend an annual, independent GDPR audit across all areas of your business to ensure ongoing GDPR compliance. The ICO has the power to audit your business at random and will look to see how regularly you carry these out.
2. Are your staff trained annually?
The ICO requires that appropriate GDPR training is carried out by all staff annually. Evidence of training such as certificates of completion will be required by the ICO in the event of a data breach investigation or an audit. Ensure your entire workforce has had training on GDPR, that they have completed a GDPR exam, and that you keep a record of their training to hand in your GDPR Training Register.
The ICO has recently applauded businesses who achieve a GDPR certification stating that:
Certification can help demonstrate data protection in a practical way to businesses, individuals and regulators. Your customers can use certification as a means to quickly assess the level of data protection of your particular product or service, which provides transparency both for data subjects and in business to business relationships.
In addition, they state that:
Obtaining certification for your processing can also help you to -
· have a competitive advantage and
· mitigate against enforcement action.
3. Have you appointed a GDPR lead?
It is mandatory for some businesses to appoint an official Data Protection Officer. The ICO identifies businesses which have failed to appoint a GDPR lead as having not prioritised or thought about GDPR compliance. Check to see if your business requires a Data Protection Officer, and ensure they receive full training on their role and responsibilities.
4. Have you implemented a Data Breach Management Plan?
Data breaches must be reported to the ICO within 72 hours. You should have a clear procedure in place, and ensure all staff are made aware of it. Not only will this save you time but will help reduce panic when a data breach occurs. Poor data breach crisis management will lead to much poorer results when investigated by ICO.
5. Is your Privacy Notice up to date?
Two of the most important purposes of GDPR are transparency & accountability. Your customers and clients are entitled to know what data you process about them, where it is stored, and what you do with it. Your privacy notice is how you keep them informed, and it is KEY to compliance. Your Privacy Notice must be kept up-to-date and reviewed regularly.
6. Do you have Data Sharing Agreements in place?
You cannot simply share personal information with anyone you like. You must have an appropriate legal basis to do so. Any sharing must be governed by a written contract or agreement, and a copy of the agreement kept in your GDPR folder.
7. Have you carried out due diligence?
Quite often, your third parties will be your biggest risk when it comes to data breaches. While the ICO recognises this, it is the failure of the business or organisation for not carrying out due diligence before sharing any personal data with their third parties.
8. How long do you keep information for?
As part of your GDPR documentation, you should implement a data retention policy, clearly outlining the length of time your business will keep data for and how it will be disposed of. Remember - the longer you hold on to data, the higher the risk of a breach.
It is a lot to think about when keeping an eye on GDPR compliance but if you follow these steps above you will be in a much better position to defend yourself in an ICO investigation or pass a mandatory ICO audit.
If you need expert help with GDPR training, audits or data breach management please get in touch with us on firstname.lastname@example.org