To complement the publishing of an article in the Brentwood Chamber of Commerce newsletter about GDPR reviews we have added a similar item here.
GDPR compliance is proven through good documentation, good understanding of the regulation and review processes. Review processes provide the evidence that all is well which in larger organisations commonly includes the appraisal review process.
Documentation should include evidence of a data audit, the three major policies (data policy, information security policy and marketing policy), an affirmation of following the data protection by design principle.
These should highlight where/whether you collate and process personal information, special category information and data relating to children and how the security measures for each differ.
The data audit and the data policy should be used to create a retention process and an easily read table for each process or data type.
The Elements of a GDPR Review
The reviews that should be documented are the relevance of the major policies, the number of breaches that occurred (and which required reporting to the ICO) and a review of how accurately the processes are carried out within the organisation.
How long this will take depends on the size of your organisation its sophistication and how well everything is documented. Basic reviews for micro companies may take less than a day to complete. Those for larger, or more sophisticated, companies can take substantially longer.
Which Type of Review is Best?
The best type of review is similar to an audit. The person would comment on what is there (in term of documentation), detail what is missing, and identify the risks being run and how to mitigate them. Use the report, make a plan and close the gaps to keep yourself covered. We appreciate this is light on details and we would be pleased to answer any detailed questions.
There’s lots more information in our specialist data protection section here: https://eyebray.com/category/gdpr/
There is always the ICO to visit for more information direct from them.