This is the last installment on the virtues and requirements of GDPR. In this series you learned a few things, like whether or not you need to comply, what to do if you actually need to comply and what to take into account when you are prioritizing your activities towards GDPR compliance.
Now you should feel comfortable knowing that at least you understand what this new data compliance regulation is about and, based on your business, what the key areas are that you need to take care of.
On May 25 you will certainly be in a better place than before you understood the requirements for GDPR compliance.
So, what is the very last step to achieving full GDPR compliance? Simple. Ensuring that you remain compliant.
GDPR is a journey, not a destination
As I mentioned before, GDPR is not an isolated event in time. Achieving compliance on paper is not enough.
The real purpose of regulations like the GDPR, is not to force you to fill your time documenting your practices. Instead the key goal is for you to understand your data better, to stop, think and question why you are collecting the data you are collecting and most importantly, how you are protecting it and ensuring it doesn’t fall into the wrong hands.
This objective is not achieved by going through this analysis and then putting it on a shelf. Now that you went through the effort, you have to make it a way of living, a way of doing business. And you have to adopt personal data protection and privacy management as part of your core values as an organization.
Continuous improvement is the name of the game
The XXI century has taught us that truly the only constant is change. Technologies today are vastly different from 10 years ago, data analytics has evolved tremendously and sadly to say, cyberattacks have become more targeted and sophisticated.
Therefore, it seems reasonable to assume that if technology, analytics and cyber-threats are ever evolving, your data protection strategy should evolve too.
And in the context of GDPR, what does this mean?
Well, in order to become compliant you documented your processing activities, you created data maps, you updated your 3rd party agreements, created consent mechanisms and developed processes to respond to data subject requests, among other things. Now you have to update them and ensure that they remain relevant. How do you achieve this? By operationalizing your data protection and privacy program. Here are some steps that you should keep in mind:
- Governance and accountability. The governance and accountability model that you adopted with the advent of GDPR needs to be strong and alive. It needs to identify and agree on KPIs and it needs to dictate the implementation of on-going reviews of your data protection processes. Start with an evaluation 6 months after you initially achieved compliance. Evaluate what you have achieved, where your gaps are and what can be done better. Adjust, implement and evaluate again. Remember, what gets measured gets managed.
- Ensure that new processing activities and new data elements are entered in the processing activity and data mapping documentation. If there are changes to existing processes, immediately update these documents. Ensure that they are always consistent with the reality of your business and that the integrity between the two remains intact.
- Review your data protection policies. This is related to the changes we discussed before. When a technological or business change comes along, ensure your policies are keeping up with these changes.
- Adopt Data Protection by Design. DPbD is a key element of an organization with mature privacy practices. It is important not only because it is required as part of GDPR compliance but because it forces you to adopt a culture of privacy throughout every department and with every individual.
- Keep an eye on your 3rd party providers. Work towards your own continuous improvement, but don’t forget that the risks of your vendors are your risks. Perform ongoing reviews just as you do internally. Keep them accountable the same way you are keeping your own organization accountable. Provide incentives to reach that level of excellence. At the end of the day, if you are a controller, what your processor does reflects on you, both the good and the bad.
Ready… Set… Go!
I know that GDPR may seem overwhelming and intimidating. Other standards in the past felt the same way, like work safety regulations in the 80s. Now we look back and we are in a much better place than we were before. I’m sure in the future you will be glad that you took this step, for the sake of your company but most importantly, for the sake of your customers.
Go back to the series
Find out more about Kirke’s GDPR consulting services here