Combat complacency and maintain compliance - what next for GDPR?

The GDPR enforcement deadline of May 2018 has been and gone – but that doesn’t mean that it’s done and dusted, that was simply the tip of the iceberg for data privacy. Organisations who become complacent about maintaining GDPR compliance are very much in danger of falling foul of it. 

The key to success with regards to GDPR is having systems, processes and policies to establish and maintain ongoing compliance. Your organisation will need to evolve as your data does. In an ever increasing digital world we obtain new data every day – this new data needs to be subject to appropriate handling and storage to maintain ongoing compliance. What was compliant yesterday for your data set – will have changed overnight. This might seem like an impossible task – but there are some steps that organisations can take to make this burden easier.

Consider and take action against third party risks

  • Do those third party agreements you have in place ensure that your suppliers or processors have robust data governance structures in place?
  • Is it contractually clear who is liable if there is a data breach?
  • Is there an incidence management plan in place which has been tested if something does happen that is outside of your control?

Re-evaluate your workforce education

  • Is your entire workforce aware of how GDPR impacts their day to day working lives?
  • Have you rolled out GDPR awareness training across your organisation – and not just in certain departments?
  • Do your workforce have enough knowledge of what is required to maintain GDPR compliance to act as your first line of defence?

Consider how you can adapt existing systems – rather than investing in new, expensive ones

  • Do your IT systems support ongoing compliance? 
  • Can you adapt existing systems to satisfy key GDPR requirements such as data retention

Ensure you have adequate policies, procedures and knowledge to deal with data subject requests

  • Data subjects have enhanced rights under GDPR – you should have documented and tested procedures in place to deal with all of these rights.
  • Your personal data registers, Data Privacy Policy and Data Retention Policy will be key documents in supporting your ongoing compliance activities.

Recognise the need for robust data due diligence

  • If you are merging or acquiring another business or organisation, have you assessed how much personal data will transfer across to you as part of the change? Ultimately you will be responsible for managing this data and ensuring that you have clarity over whether the data was obtained via consent or under a legal basis/purpose. Establish a data breach incident management procedure and test it annually.
    • In the event of a data breach you want to be in a position to minimise loss and contain the incident as quickly as possible.
    • Well documented and tested plans will support you in meeting the GDPR requirements for reporting personal data breaches.

Whilst it is early days for GDPR don’t take it lightly. Personal data can have a price and data breaches are increasing daily. Stay ahead with good practice – and don’t become complacent as time goes on as reputation damage and financial penalties can be difficult for organisations to recover from

If you would like to speak in more detail about GDPR implementation and compliance and what it means for your organisation please contact our Data Privacy specialists, Sheila Pancholi or Steve Snaith.