If a tree falls in a forest but no one is around to hear its descent, does it even make a noise upon impact? If an organisation is mindful of data protection legislation but has no process for demonstrating compliance, is it compliant at all?
Both big philosophical questions, the reality is that when it comes to data protection, demonstrating compliance is essential (accountability is, after all, one of the data protection principles!) The ICO recommends that you install data protection ‘by design and default’;
“This means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through its life cycle”
True compliance is a commitment to the installation of both technical and organisational measures, ensuring not only the efficient rectification and prevention of data breaches, but the sustained adoption of a positive data protection culture.
While there is no one size fits all approach to data protection compliance, evidence is key (rest assured, the ICO is unlikely to find a verbal promise sufficient). Whilst each organisation has different data protection needs, and therefore different obligations in terms of compliance, the UK GDPR details explicit instructions about documentation practices;
- Records must be kept in writing.
- It is recommended for most organisations to maintain records electronically.
- You must maintain records for processing purposes, data sharing and retention.
- Upon request, and if required, you must be prepared to deliver records to the ICO.
- Information audits or data mapping may exercises can aid the documentation of your processing activities.
- All data breaches must be recorded and (if necessary) reported to the ICO.
- Your obligation to demonstrate compliance is enduring and will require reviews and updates.
Need a little more advice? Ok, let’s break it down a little further…
Maintaining documentation of your processing activities
Article 30 is quite clear, the UK GDPR now requires written documentation and an overview of procedures when personal data is processed (otherwise known as a RoPAs). A RoPA allows your organisation to identify the areas which need improvement and the insight to take steps towards remediation.
Your RoPA must be a living document, available to the ICO if requested and updated when business processes relating to personal data change.
For more information, click the link below: https://www.dataprivacyadvisory.com/dpas-compliance/record-of-processing-activity-services/
Data protection impact assessments (DPIA’s)
A DPIA is a process whereby the data protection risks of a project are identified and either remediated or accepted. The UK GDPR mandates that you undertake a DPIA for a project which is ‘likely to result in a high risk’ to individuals’ interests. If the risk involves personal data, you might need a DPIA.
Your DPIA must;
- Detail the nature, scope, context and purposes of processing.
- Assess necessity, proportionality and compliance measures of the data processed.
- Not only determining risks to individuals, but identifying additional measures which will mitigate those risks.
DPAS can provide expert support and advice around Data Protection impact Assessments, we can help you to assess the risk and provide advice around remediating risks before projects go live. For more information about our DPIA services, click here: https://www.dataprivacyadvisory.com/dpas-compliance/dpia-help-and-assistance/
Appointing a data protection officer (DPO)
Alongside obligations to record processing activities and preemptive security measures to tackle data breaches, the UK GDPR introduced the duty to appoint a Data Protection Officer (or DPO). The appointment of a DPO is mandatory for public authorities or bodies and organisations who carry out certain types of processing activities. The DPO must be both independent and an expert in data protection. They can be either an existing employee or an external appointee but they must be adequately resourced, with the capability to report directly to the highest management level.
The DPO’s role includes;
- Monitoring internal compliance
- Informing and advising on data protection obligations
- Advising about data protection impact assessments (DPIA’s)
- Acting as a contact point for data subjects and the ICO.
We understand that not all organisations may not need or want to appoint an internal DPO. We can support you onsite or offsite. Your outsourced DPO will work as an extended member of your team. Our service is affordable for all business sizes, starting from just £500 per month.
For more information, visit our outsourced DPO page or read our blog discussing why outsourcing may be the best option for you.
As hard as we may try to cover everything, this blog is far from exhaustive. If you want to delve deeper into data compliance then look no further than the first ever, COMPLETELY FREE South West Data Protection and Information Governance conference. Our event will feature an entire lineup of speakers and guests from various sectors, all seeking to engage, educate and empower. International privacy expert Ralph O’Brien will be speaking on the subject of ‘Privacy Design and Default: turning compliance cost into business benefit’.
Visit our event page to reserve your spot now (and we recommend you don’t delay).
If you would like to learn more information about data protection and recruitment, please check out our article. For further information please see our website.
