The GDPR deadline 1 year anniversary is almost upon us. So assuming your organisation has implemented appropriate technical and organisational controls to protect personal data over the last number of years and months, do you simply forget about GDPR as a job complete, or where should you focus your data protection efforts now?
At Ward, we recommend to our clients that they should:
- Continue to operate and refine your GDPR management system. Your organisation is constantly changing so you need to continuously identify, assess and apply appropriate controls to new systems or changes to existing systems that have personal data in scope. Remember, the GDPR requires data protection by design and by default.
- Continue to operate and refine your GDPR organisation and technical controls. Hopefully, your organisation has already put in place appropriate organisational and technical controls. The next step is ensuring that you continuously audit, review, correct and improve the application and operation of these controls. Your company’s compliance should be with both the spirit and definite requirements of the legislation and this includes staying up to date with case law, clarifications and guidelines coming from the national courts, the CJEU, your relevant Regulator and the EDPB.
- Continue to review and improve on how you deliver on your data subject rights across your business. Ensure that you are meeting your organisation’s obligations under the legislation for basic data subject rights such as the right to be forgotten, data subject access requests, as well as obligations such as breach notification etc.
- Be compliant and be in a position to demonstrate your compliance to yourself, your data subjects, the Regulator and any other relevant parties. Ensure you maintain complete records of processing as well as minutes of decisions made as to the application of scope or appropriate controls etc. Remember, a key principle under the GDPR is that of accountability.
- Adopt a mindset of continuous compliance and continuous improvement. Aside from reducing or managing your data protection risk, you can also use this as a positive brand attribute to convey to your customers and data subjects that you take the protection of their data seriously. A company that can do this will benefit from increased customer loyalty and new customer wins.
- Look for opportunities to implement an overarching standard or framework based Information Security Management System such as ISO27001 which:
-
- Uses a standard based methodology and approach to implementing a manageable and auditable Information Security management system that coordinates an organisation’s general information security activities with its specific information security compliance activities
- Extends to other information security compliance schemes that your organisation may also be in scope for such as EU Network Information Security directive (EU NIS) for critical national infrastructure protection and the new Regulation on a Framework for the free flow of non-personal data within the EU
- Helps to prevent compliance sprawl – where controls or processes may be duplicated instead of being applied to help manage both compliance and general Information Security risk management requirements.
- Provides readily recognisable seals and certifications that can be used to demonstrate further compliance or mitigation to regulatory authorities as well as to demonstrate the operation of best practices to customers.
If you want to speak to our subject matter experts for further advice, call us: 1800 903 552 or e-mail us.