Now that the General Data Protection Regulation (GDPR) is live and enforced, the focus has shifted from how to comply with how to maintain the controls and processes which have been implemented. While this may just seem like a continuation of what has been achieved already, it is in actual fact a moment to improve. Those processes and changes which were rushed or not properly embedded into day-to-day operations will now need to be cultivated amongst staff for the long haul.
In this blog, CTO of GPRC Hub Barry Seward explains seven of his top GDPR considerations for data privacy teams, for ongoing compliance and adherence.
How Prepared Are You To Handle DSARs?
A Data Subject Access Request (DSAR) is guaranteed under the right of access and entitles data subjects to view the processing activities and types of personal data processing activities they are subject to. Typically data controllers have up to 30 days to comply with the request, unless the request is particularly troublesome.
Consider implementing the following to assist your DSAR process:
- An end-to-end DSAR management tool.
- A DSAR dashboard to track progress and flag instances of request non-compliance.
- A form on your public website which integrates with the above system and dashboard, enabling data subjects to submit a request.
- An integrated encryption facility to protect upload of identity confirmation & transfer of personal data to data subject/requester.
Take a look at our blog post on how managed file transfer can help with the requirements of the GDPR.
Do You Have an Effective DPIA Process?
Where processing is high risk, involves underage data subjects or special categories of personal data, a Data Privacy Impact Assessment (DPIA) is required; or at the very least, recommended. Outside of the standard DPIA requirements, think about:
- The risks presented when the GDPR one or more of the six core principles are not adhered to.
- The risks presented when the rights & freedoms of data subjects are not respected.
- The risks presented when dealing with your supervisory authorities – e.g. failure to conduct effective DPIAs etc
Do You Maintain an Up-To-Date Data Catalogue?
It sounds easier than it is. Do you know exactly which types of personal data you collect and process throughout your organisation? Creating a data catalogue or asset register should incorporate:
- A list of processed personal data types, legal basis and retention periods.
- A system which has a simple selection and display of those processed personal data types.
Do you Maintain Up-To-Date Business Process Maps?
Very similar to the question above, however focused on the processing activity aspect. Can you list all the data processing activities and workflows. Ensure that you can:
- Identify & define all of your business processes.
- Map personal data to business process.
Do You Have an Effective Incident Response Process for Data Breaches?
Irrespective of how secure or well managed you are, there are going to be instances of data breach which occur. When this happens there are mandated actions in the GDPR text which must be followed and timeframes to be kept.
In order to manage incidents effectively, consider the following:
- A facility for all staff to easily report a potential incident.
- Automated incident tracking.
- An escalation facility to notify key stakeholders of a breach.
How Effective is Your System to Manage and Control Information Security?
From a general standpoint, how good is you information security posture? This might seem like an unrelated question, however it is often said that any organisation operating a robust a effective information security management system will find the GDPR to be a much smaller step than others have experienced.
How many of the following processes do you operate currently?
• Asset register.
• Risk Assessment.
• Information security eLearning.
• Policy and procedure management and display.
• Change management.
• New joiners/leavers process.
How Do You Ensure Your Data Protection Lead is Kept Up To Date and Involved with Day-to-Day Privacy Operations within Your Organisation?
The GDPR requires a Data Protection Officer (DPO), for certain types of businesses and recommends a data protection lead for others. In either case, this centralised person of responsibility should have their finger on the pulse of all things data protection.
The are numerous way to achieve this, including the following:
• Ensuring an effective audit programme is in place.
• Ensuring new starters have completed their training.
• Ensuring information asset owners are assigned correctly.
• Ensuring risk assessments are completed promptly.
• Ensuring policies & procedures are read by staff & kept up to date.
• Ensuring potential security events are communicated to the DPO.
DLP Assured Ltd are specialists in governance, risk and compliance having worked in the industry for decades. If you have concerns about your adherence to the GDPR and your ability to conduct DSARs, take a look at their solution, GPRC Hub.
GPRC-Hub is a cloud based Governance, Risk and Compliance system that is designed to help staff engage with an organisation’s information governance programme. The system provides a range of services to automate and simplify governance tasks.
Would you like a short solution tour of GPRC Hub? Book a demonstration with us today.