The General Data Protection Regulation (GDPR) brings in a multitude of new data protection requirements for organisations. A key principle of the new regulation is accountability – demonstrating that you comply with the new regulation, as opposed to just saying you do.
Much of the focus to-date has been on understanding what data is where in an organisation and how it is collected, retained and disposed of. This will lead to increased policy and procedure, but also requires disciplined record-keeping of the privacy analysis conducted and decisions made.
Elizabeth Denham, the Information Commissioner previously said after previous investigations in Canada: “We didn’t just investigate whether these new specific initiatives complied with the law, but evaluated and reported out on how well organisations met their accountability requirements across the entire business” . As with many organisational challenges, documentation is often a lower priority than implementation, but is the most important thing you need when implementation fails.
For example, the GDPR requires the implementation of privacy by design and default – these processes should also include creating and updating a record of the privacy impact assessment undertaken and the security features that it has led to as well as the assessment process itself.
If there is a data breach or complaint to the ICO, I expect this to be an area of focus – enforcement action will naturally require these records to be reviewed during an investigation, and their absence could potentially be taken as an indication that other areas are potentially out of compliance.
Generating these records shouldn’t have to wait for May 2018. The assessment of your GDPR readiness, and the meetings and decisions that go with it, form valuable records to show that you are serious about compliance. Whilst the focus of GDPR readiness is often data, the ancillary areas are just as important.