Steps to Compliance
Simplicity is key when navigating the requirements of the General Data Protection Regulation (GDPR) and most of the regulation should be seen as what is just simple common sense. As business owners we can sometimes forget the responsibility of being a care taker to another’s personal data. We often see the data as ours when in fact it’s not.
If you were entrusted to care for another’s precious item, wouldn’t you make sure that you met that trust head on, that you made sure you did all in your power to protect that precious item that was entrusted to you. Personal data is extremely precious, in the wrong hands or neglectful hands it can impact a person’s life significantly.
Deciding to be a trust worthy company is the first step on meeting the regulation and honouring the trust that a data subject has placed in your organisation.
What data do you hold? What do you do with the data, Does the Data Subject know what you do with their data and if you share it with any other business? Do you have current Data Protection controls in place or do you not?
What gaps do you have?
Are you processing data fairly, securely, for the purpose it was intended, for the time it was intended to be kept for, do you make it available to the data subject, is it consented, or do you rely or other lawful purposes outside of consent.
DPIA, policy, education of staff, controller/processor contracts, data transfers extra territorial (anything outside the EU) informed consent, transparency, access, data protection officers (if you need one) enhanced security (physical and digital) privacy by design and default
Arriving at the final step to regulation is a significant move forward, however we cannot just meet compliance by creating the great policy or having latest security software that’s state of the art. Meeting regulation head on requires a cultural change in an organisation. We can be compliant on paper but if we do not live the program we can not ever meet what is required.