A study from Veritas claims that there is a worldwide climate of fear over GDPR compliance. In fact, 86% of organisations polled are concerned that failure to comply will damage their business, and a further 20 % fear it could shut them down entirely. Is it that bad?
Well, no not really. As the old saying goes, it’s only worth worrying about something you can change. And in light of Veritas’s study, it bears repeating that compliance is entirely an internal issue – so you have the power to tackle GDPR compliance within your organisation.
In the previous article, we looked at the first four steps on the GDPR compliance roadmap. The following four, though more esoteric in nature, are all processes that you can start today.
You have 12 months to comply…
If you operate internationally, then you will need to find out which data supervisory authority you come under. There are elaborate arrangements for working this out. The authority will usually be where the organisation’s central administration is; this is simple for single branch/country organisations, harder for multi-site operations. Thankfully, there’s guidance at ico.org.uk.
The GDPR requires that some organisations designate a Data Protection Officer – either internally or externally. The individual(s) has to take proper responsibility for your data protection compliance, so should have the knowledge and support to do so. This ruling applies specifically to local authorities and those frequently handling and monitoring large data sets. Determine now if that applies to you.
Individual’s rights are still largely the same under GDPR as they are with the current Data Protection Act (DPA). Nonetheless, check your procedures to ensure they cover all rights and have plans in place for deleting the data should you be asked to do so.
It's also worth assessing your legal basis for processing the data you hold. Generally speaking, this is good practice, though entirely understandable if until now it’s not been a priority. Look at the types of data you hold, how it’s processed and your legal basis for documenting it. This again is broadly similar to the DPA, but still needs to be checked to meet GDPR’s accountability requirements.