The Power of Vigilance
At Enguard we provide audits, training, templates, cyber security and data protection advice to customers all over the country. While each organisation’s needs are different, one of the most commonly asked question is “when will we be compliant?” and unfortunately the answer must always be “GDPR compliance is a journey not a destination” In this article we will explore why GDPR as an ongoing process and how this is a good thing for your company, not just in the realm of data privacy.
The road to compliance has many steps, and it starts with an audit. An audit by its nature is a snapshot in time of how your company processes data, what it holds, what basis it has for doing this, what security measures it has in place and how long you keep it for. The audit will show what you are doing well and what you are doing not so well. The audit also creates a helicopter view of your company’s flows of data and approaches to the core GDPR rights, principles, legal bases and obligations. The output is normally a roadmap of improvement measures.
If you conduct an audit and follow up on its recommendations your company is showing compliance and a desire to change its data protection practices for the better and that can only be a good thing. However, once all the changes recommended by the audit have been completed this is not the end but rather the beginning and here’s why: things change.
In the timeframe of six to twelve months after your audit, things will naturally develop that will have an impact on your data protection compliance. Staff will move on, new systems will be introduced, new data will be gathered and new problems will present themselves. Life isn’t static. Regular annual audits will capture the new changes that have occurred within your organisation and benchmark them not only against the goals you’ve set yourself to improve but also against your previous audit’s strengths and weaknesses. Issues will have become apparent also in the drafting of your retention schedule - you may discover you are storing data too long in some cases or too little in others.
Compliance means the act of obeying a law or regulation. In the context of the GDPR this is fairly obvious – organisations wish to show their application of the regulation to their company – having a data protection policy (accountability), assigning a data protection officer or representative (governance) informing customers how their data is processed through privacy statement (transparency) having systems and procedures in place to keep data secure. As discussed in other articles the GDPR and data protection acts will always be evolving and therefore so will your approach to them. The regulations evolve through court judgments, published opinions of the national supervisory authority or new legislation therefore your organisation will need to keep abreast of these interpretations as they come on-stream. In the past year alone the Irish national supervisory authority Data Protection Commission has commented on the use of images at communions and the use of the síneadh fada.
Since GDPR came into law in May 2018 the European Court of Justice have been made decisions on data privacy issues such collecting or processing personal data in the course of door-to-door preaching and controller status of fan pages on a social media site. New legislation in the area of online marketing will draw on GDPR but also add new areas for consideration from a data protection perspective. Regular audits and training will keep staff in the loop of these and show the ongoing compliance in practice.
Finally, as we all know the GDPR introduces penalties for breaches or non-compliance and these can be detrimental to a business both financially and in terms of reputational damage so ongoing checks on your compliance efforts are key. A re-audit will help you to spot where there are new data protection problems developing. As the saying goes “From small seeds grow big trees” and so to with problems. Regular low-level breaches that are being recorded on your breach register on an ongoing basis will identify needs for further staff training and possible problems in your IT or filing systems that need immediate addressing.
Engaging with a GDPR consultant will provide pertinent advice on tackling areas of concern effectively. Other areas that can be red flags will be problems in gathering data for subject access requests. Delays in sourcing data can be signs filing systems are disorganised, unnecessary duplication is common and egress is increasing and these pinpoint bigger issues in your company that could be affecting other areas such as server storage overload, customer service or internal communications silos.
Regular updates to your data flow mapping and edits to your document review are required as you change and grow as a company. You need to know how you process your data and you need to inform your customers, staff and other data subjects of these changes.
Enguard can assist with the issues you encounter on your GDPR compliance journey from audit, security, staff training to drafting policies and procedures. We provide re-audits and training updates specific to your needs. For further details please call us at Enguard on 0818 252 052 or email firstname.lastname@example.org. We would love to hear from you!
Disclaimer: Please note the above article is an opinion piece based on current sources of information available at the time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers.