With the 25th May – the date from which GDPR will be officially enforced – looming, many organisations are now beginning to feel a real sense of urgency around requirements and getting their practices in order.
For data protection officers, and anyone else involved in data processing within your organisation (by the way, if you don’t have a named data protection officer, in many cases you’ll need one to comply with GDPR – more on that in a minute), the new regulations are going to be their central focus for the foreseeable future.
In this post, we wanted to highlight the importance of setting a precedent for GDPR in your organisation, rather than putting in quick fixes or plastering over the cracks. In the long-term, to ensure compliance for your organisation, you should look to implement and embody best practices in all of your data processing.
Here’s how to approach that.
As mentioned above, if you haven’t already, and you are a public authority or carry out certain types of processing activities, you are required under GDPR to appoint a data protection officer. There’s more information about what types of processing activities require a DPO here. That being said, whether or not this applies to your business, it is best practice to select and name (in official documentation) a person who is responsible for data processing and GDPR compliance in your organisation. Not only does this help you tick a few boxes under the regulations, it also helps you ensure that someone owns, manages and is properly accountable for data processing and compliance.
Review current processes
Once you’ve decided who’s responsible for your GDPR project, you’ll want them to review your current processes against the regulations in order to spot any gaps or problems. The audit should cover everything from documentation policy and general process to breach procedure and engaging with third parties. To help you conduct this audit, we’ve put together a handy checklist which covers all of your general responsibilities for data protection under GDPR, as well as guidance around appointing an ITAD or data erasure partner. You can download the free checklist here.
Review third party contractors
As we’ve mentioned above, and in a couple of previous posts, your organisation has a number of responsibilities under GDPR when it comes to engaging with third parties to process your data. Perhaps most importantly, in the event of a breach you could be held responsible even if it is the fault of the data processor (unless you can prove this, and that you took the relevant steps to try and prevent it). For that reason, it’s important to ensure that your data processing partners are reputable, certified and GDPR compliant themselves. Whether you decide to engage with a new partner or continue with your current one, you are required to have a clear SLA or contract in place which states responsibilities, processing activities, contact details and any other relevant information.
Document, document, document
Once you have conducted your audit and put in place measures to ensure compliance, you should ensure that your processing activities are documented. You are also required to maintain records on processing purposes, sharing and retention, as well as ensuring that roles and responsibilities of various parties are clear and relevant contracts are in place. This is particular relevant and important if you are working with a third party to process your data, such as an ITAD organisation. Should there be a breach or complaint and a subsequent investigation by the Information Commissioner’s Office (ICO), you may be required to produce this documentation and any audit trails on request. To ensure everything is kept up to date, it’s advisable to agree a process with your DPO or data controller on how, when and where documentation will be stored.
An important step in ensuring your organisation’s ongoing compliance with GDPR is getting the cooperation and support of the wider business. Especially in larger organisation, in can be so easy for a department or unknowing individual to slip between the cracks and continue unaware of updated requirements and legislative responsibilities. Your DPO, or whoever you have made responsible for GDPR compliance in your organisation, should lead the charge (with support from the management team) in educating the rest of the business and taking them on the journey of GDPR. Every employee and stakeholder should be made aware of what is required of them, the business and the consequences of non-compliance.
We’re an experienced ITAD and data erasure specialist and are certified against key industry standards including ADISA and ISO 27001 (Security Management). If you would like to chat about how we can help your organisation get and stay compliant with GDPR, get in touch.