GDPR: does your paperwork stand up to scrutiny?

Bovill

If your company’s preparations for GDPR were rushed, now is the time to fill in any gaps. If the ICO come calling they’ll expect to see a credible plan, and with data protection high on the FCA’s agenda, the regulator won’t be far behind.

Most firms will have had a plan of some sort in place. Now is the time to make sure you didn’t miss anything during implementation and that what you have embedded is sustainable.

What sort of thing do you need to have documented? Your plan should act as a checklist for documenting compliance with each area of the regulation.

This should include:

  • a record of processing activities, in any department, that use personal data. What data do you hold? What is processed by whom, and who does it get sent to?
  • an appropriate data protection policy
  • an articulation of your lawful bases for processing personal data
  • an assessment of whether your organisational culture adheres to the core principles of data protection (which haven’t really changed since the 1998 Data Protection Act)
  • a process to make sure the data is accurate and up to date
  • an approach to obtaining, recording and managing consent to hold personal data
  • procedures to address request from data subjects including updated privacy notices
  • a clear retention policy so you only hold data only for as long as it’s needed
  • evidence of appropriate IT safeguards to protect the personal data you process
  • clear notification procedures so that in the event of a breach you can inform the ICO within 72 hours
  • evidence of clear data protection governance across the three lines of defence.

In terms of priorities, start with the areas which involve interaction with consumers. It’s vital to equip your organisation to deal with consumers’ subject access requests, and to display an up-to-date privacy notice telling individuals how their data will be processed.

Having a robust plan in place not only demonstrates that you’re taking the issues seriously, it should keep you on track as GDPR becomes business as usual.

Bovill is helping clients figure out how they’re affected by GDPR and assess whether their processes are up to scratch. For more information on this, or to find out about our new GDPR healthcheck, get in touch.

Menu