How do I measure GDPR compliance?14th January 2019
There is currently no easy tick-box solution for measuring GDPR compliance, but there are ways that you can demonstrate your compliance, should the ICO come knocking. You need to put the work in now, this is an on-going commitment.
We were told originally that a certification scheme (which would have given people a vehicle for demonstrating compliance) would be in place before the GDPR came into effect in May 2018. This did not transpire, however, and it seems that the ICO currently have no plans to accredit certification bodies or carry out certification at this time.
So the onus is on you, the data owner (controller) or processor to measure; and thereby demonstrate compliance.
The buzzwords are documentation and evidence. In other words – proof that you have done everything the ICO expect of you, in order to be compliant with GDPR.
Keep robust records detailing:
- The policies and procedures you have put in place in order to achieve compliance
- Your privacy and cyber security controls
- Documentation of staff training that demonstrates that all relevant staff are aware of their responsibilities towards data protection.
- Written contracts in place between yourselves and any external body (processor) you may need to share personal data with.
- The data protection impact assessments you may have carried out.
- Your commitment to ongoing accountability: your obligation is to review, and where necessary update your data protection measures.
- Record and report, where necessary, personal data breaches.
It is, of course, that final point, the event of a data breach, when the ICO are most likely to need proof of your compliance. That is when questions are likely to be asked. Accountability has two edges, responsibility for complying with the GDPR is, of course, one of them, but the second is that you must be able to demonstrate your compliance. This is explicit in Article 5(2) of the GDPR.
Make sure you can demonstrate that you have done everything you ought to have done in order to be fully compliant. Once you get that knock on the door, it might be too late. So keep those records and keep them well. This should provide mitigation against any potential enforcement action and will protect your finance and your reputation, as well as the personal data in your care.
If you would like any specialist advice about how to demonstrate your compliance or some training for your employees, please get in touch and we’ll be happy to help – 01673 885533.
Sign up to our eBulletin for the latest developments in data protection, information governance and compliance.