It is important to realise that the evidence your organisation is on track for GDPR compliance lies within your policies, procedures and other internal documents. While your privacy policy and terms and conditions are the external documents people look at most the ICO would be more interested in your internal documentation.
What’s most important
The ICO has made it absolutely clear that organisations that do not make any effort to comply with data protection laws will be those that will be penalised the most.
To start on your road to compliance there is a simple test to take on the ICO website to see whether you need to register your organisation with the ICO or not. There are some exceptions, which are probably really only understood by the ICO themselves, and not paying the fee will lead to financial penalties up to £4,350.00.
After you’ve taken the test and paid your fee (if necessary) now its time to understand what data your organisation processes and how you should classify it. It will either be Personal Information, Special Category Information or “other” information. Knowing which type it is can only be done by completing a data audit.
Once you know how much Personal and/or Special Category information you hold and process you can start to write your policies. The trinity of policies most often referred to for compliance with GDPR are: a data policy, a marketing policy and a information security policy. Each one sets out, at the highest level, how and why you collect personal data (including Special Category data). The basic rules for how long you keep it for and how it will be disposed of should be there too. Data can be obtained and stored physically or electronically and you need to identify which process uses which style of storage. Where data is used for marketing purposes you will need to gain consent before sending marketing materials.
Next you need a marketing policy and an information security policy. These should utilise the theories of the data policy and attribute them to the their specific topics. Also there are new areas of concern, like how to unsubscribe from marketing material and/or when to review and sometimes change the password for IT systems (including door entry systems).
The details
It is easy to forget that once this part is done that you have to at least check that your procedures and other documents match the high level controls in your policies. These do not have to be long and can cover a single process, like renewing the SSL certificate in your website. Don’t forget some of the larger financial penalties the ICO has imposed have been because the controls relating to this type of process are not followed correctly. You could say that there are 189 million reasons to get this kind of thing right.
At the end of the day GDPR is about attitude. Any organisation that emphasises the need to boost income, or profit, over the safety of personal data is going to be on dodgy ground when it comes down to an investigation by the ICO.
Get organised, understand your obligation and be sure that your route to compliance with this important regulation is well on it’s way.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.