It’s been a year since the EU’s GDPR (General Data Protection Regulation) was introduced. We all remember the flood of emails from businesses asking for confirmation that we wished to remain on their marketing lists and have our details stored on file. And we all remember the many articles warning organisations to get their houses in order and implement appropriate data protection measures for fear of enormous fines.
As promised, the authorities started softly in enforcing and policing GDPR compliance. According to The Register, while fines imposed during the first year of the GDPR totalled €55.96 million (about £47.85 million), nearly all of that came from a €50 million (about £42.7 million) fine for Google.
The key question now, as that soft start wanes, is: how can you check that your organisation truly is GDPR compliant? There are four key areas you need to consider.
- General compliance
The GDPR includes 99 articles with hundreds of individual legal requirements, some of which only apply to some organisations, or only in certain circumstances, so it can be difficult to really gauge whether you are meeting your obligations. A gap analysis guides you logically through all the Regulation’s relevant requirements to identify which ones you are meeting and where you are falling short. It gives you instant visibility of your current compliance status and enables you to easily identify the actions you need to take to protect personal data and comply.
A DSAR (data subject access request) is a request from a data subject – whether a customer, partner, supplier, employee or other stakeholder – for a copy of the personal data you hold and process about them. Under the GDPR, you must respond to a DSAR within one month and for free – and you must make sure that you can demonstrate that you have met this obligation. Clearly, then, it makes sense to have a consistent and – where possible – automated means of responding to DSARs. The gap analysis may identify this as an area you need to work on. The point is that, to achieve ongoing GDPR compliance, you need to ensure that every new DSAR is treated properly.
- Breach reporting
GDPR compliance requires you to keep a record of all breaches and incidents involving personal data that occur within your organisation, and it’s valuable to streamline how you report these to your supervisory authority. Again, the gap analysis may identify this as an area you need to work on, but to maintain ongoing GDPR compliance, you need to ensure that your recording and reporting processes are adhered to every single time.
- Third-party management
It is important to remember that the chain of responsibility for GDPR compliance stretches beyond the boundaries of your organisation to any third-party partners or suppliers that are involved in processing personal data. You need to be able to monitor these and ensure that they are contributing to, not damaging, your own GDPR compliance.
Only by taking a logical approach to all four of these areas can you be sure that your organisation is truly GDPR compliant – and only by reviewing them on a dynamic, continual basis can you be sure that you are maintaining compliance.
That is why we launched CyberComply, which guides organisations through cyber risk and privacy management monitoring and compliance in a scalable, repeatable and maintainable way. The platform brings together our five popular privacy and risk management tools, so you have everything you need in one place for governance, risk management and compliance.
For more information on CyberComply and how it can help you, visit our website.