Proving GPDR Compliance
The GDPR comes into effect on May 25th, and when it does, it will introduce increased accountability for data, as well as increased penalties for organisations who fail to comply. Unlike with the existing Data Protection Act, compliance alone will not be enough. In order to avoid crippling fines, proving GPDR compliance is of utmost importance. But how can you demonstrate compliance? In this article we are going to outline some of the accountability measures you can undertake:
Data Protection Audits
If you are not fully aware of all the personal data you store, and where you store it, it will be almost impossible to comply with the GDPR or demonstrate your compliance. This is why a data protection audits are essential. The tasks involved include: identifying all the personal data that your organisation holds, and reviewing it against the following questions:
In certain instances, it may be necessary for your organisation to appoint a DPO to ensure GDPR compliance. We have written an additional article to help you decide whether or not this is a necessary step for your organisation, what duties the role entails, and who is eligible to carry out the role.
Privacy Impact Assessments (PIA)
Although PIAs are not a new measure, the GDPR outlines certain cases in which they should be undertaken. PIAs should be carried out when planning out a new initiative which may involve ‘high risk’ data processing. ‘High risk’ is defined as an activity which may compromise the data subjects’ right to privacy, such as systematic evaluations or processing special categories of data like race or medical information. The purpose of conducting a PIA is to identify and minimise non-compliance risk.
The ICO encourages the use of pseudonymisation in order to strengthen data security and privacy. It can be defined as the technique of processing data in such a way that the person who it belongs to can no longer be identified unless the data is cross-referenced with an additional, separate source. This technique is seen as being necessary when processing data in a way that is separate from the purposes for which it was originally obtained.
Do you need more information about how you can get ready for the GDPR? Arden Group has teamed up with Microsoft and Mimecast to bring you a complimentary GDPR Seminar in Birmingham. Click here to find out more information and book your place.
We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. That means that the views brought forward in this page are not necessarily shared by lawyers or courts.
Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.