Get Your Data Protection Right, How Do You Know You Are Compliant?
Whatever your feelings about it are, the GDPR exists to ensure companies Get Data Protection Right. It’s not there to tyrannize companies or threaten them. Rather, it acts as a guiding set of principles that helps to ensure companies are good custodians of the personal data they use.
We’ve identified nine pillars of data protection which work together to form an effective data protection framework. The first post in our ” Get Data Protection Right ” series talked about accountability, which is one of the fundamental principles of GDPR.
Most elements of compliance relate to accountability, from the policies a company adopts, to the security measures it implements, to how it responds to data breaches. This article looks at our eighth pillar of data protection: monitoring and demonstrating GDPR compliance.
The way you demonstrate GDPR compliance (or your journey towards it) is through a system of record-keeping and documentation. Unless you maintain registers containing the details pertaining to personal data processing, , you can’t be fully accountable.
GDPR compliance is a never-ending process, since the personal data a company holds and the way it is processed changes constantly. All records must be regularly reviewed and kept up to date.
GDPR Compliance Depends on Documentation
Keeping detailed records of data-processing activities can help a business to operate more efficiently. It can improve data governance. You should think of your record keeping in these terms rather than seeing them as an onerous task.
Supervisory authorities, like the ICO in the UK, may request documentation at short notice. An example of this is when a serious data breach occurs. For many breaches you only have 72 hours after finding such a breach to file a report with the supervisory authority. An efficient process for recording and evaluating breaches helps in gathering the required information quickly. It also reduces a lot of potential stress.
Another instance where detailed documentation helps is when an individual or data subjects makes a request access to their data (these are know as as subject access requests, or SARs). Ideally, you should have a process to simplify and record your responses and in a couple of mouse clicks be able to see where the requested information is – whether inside your organisation or with a third party. Unless a request is particularly complex, companies have one month to deal with a SAR.
Furthermore, under Article 30 of the GDPR, record-keeping of processing activities is an explicit requirement of compliance. Thus, as well as helping in the timely execution of GDPR tasks, it is necessary in and of itself. Using the right tools, can reduce the burden of record-keeping to inform you of your progress in compliance and help you stay on top of it. We’ll look at that next.
Monitor and Prove Your Compliance
Article 5 of GDPR sets out the chief responsibilities of a data controller with regard to processing personal data. It also requires controllers to prove they’re complying with these responsibilities, which is achieved mainly through record keeping and documentation.
Having established the importance of documentation and how it’s necessary under GDPR, – how to you use your records to gauge progress in compliance? One way is to use GDPR compliance software with built-in monitoring tools.
Monitoring Compliance Example
Imagine a company that aims for GDPR compliance but isn’t sure whether or not it has achieved it. By using software like GDPR3645, which features a compliance dashboard, allows you to get a quick overview and see the tasks needed for maintaining compliance. A workflow management tool for allocated and tracked progress lets the company see at any point in time what needs to be done when and by whom.
Furthermore, PrivIQ software gives feedback on any compliance gaps .
These are just some of the areas of GDPR compliance monitored by PrivIQ include the following:
Data subject access requests**: a case management and workflow tool for simplifying the process of responding to individual’s requests in relation to their data.
- Processing risk management: You’re able to do risk assessments either through DPIAs or on core data protection areas related to the GDPR and attach thorough documentation relating to your mitigation efforts.
- Legitimate interests: When legitimate interests are being used as the legal basis for processing personal data you can indicate and defend your reasoning.
- Information use and cybersecurity controls: all aspects of cyber security can be recorded, including technical measures, company policies and practices, and staff training.
- HR practices: employees also have data rights under the GDPR, so the handling of staff data must be monitored to ensure GDPR compliance.
An example of how documentation helps proving compliance
A debt collection agency holding sensitive personal data on EU subjects needs to prove its GDPR compliance in order to build trust. To achieve that, the agency might subscribe to the FENCA code of conduct in data protection.
GDPR Article 40 encourages creation of codes of conduct within various trades. These codes of conduct can often clarify some of the regulation’s more abstract requirements and give guidance on specific industry problems. They also install confidence in potential customers.
Getting Data Protection Right
There are several ways a business can make itself accountable to it’s data protection practices, one of them is through meticulous record-keeping. Documentation brings the various elements of GDPR together and surfaces tasks that need to be completed for full compliance.
By using PrivIQ as the foundation of your data-protection framework, the path towards compliance becomes clear. You’ll be able to set goals, gauge progress and manage data-processing tasks efficiently. Why not begin a free trial today?