Achieving GDPR Compliance
Every organisation wants to achieve GDPR compliance and ideally without impacting daily operations and without cost.
This is the starting point for most organisations. It is also where the challenge begins.
The first thing to consider is that there are two primary pieces of data protection legislation - the GDPR and Data Protection Act 2018 (DPA). These sit alongside each other. The GDPR is a principle-based piece of legislation that will rarely tell you exactly how to do something. It is up to organisations to decide how best to apply those principles to their handling of personal data and subsequently justify those decisions. This therefore is not always an easy task.
Ultimately, organisations need to make decisions about what personal data they collect, how they use it, what lawful basis they rely upon, who they disclose it to and how to long to keep it. While there is a lot of guidance and advice available, they often conflict or contradict each other. This usually leaves people feeling more confused than when they began.
The Compliance Problem
There is an issue in that “GDPR compliance” isn't defined anywhere. The closest the legislation comes to describing compliance is the reference to proposed certification bodies (Article 43 of the GDPR). Unfortunately none currently exist in the UK. A starting point for wanting to be GDPR compliant is therefore problematic as there is no obvious standard to compare against.
In our opinion, the only way to break this down is to is to treat data protection as an ongoing risk management exercise. Your organisation will need to understand where your unacceptable risks are. You can subsequently review and amend appropriate business processes and repeat until you are happy with the remaining risks. When you achieve that, you'll need to review new processes and manage Business-As-Usual Data Protection.
This approach allows you to address organisational priorities. These may be 'quick wins' or you can use the GDPR to drive positive organisational change either in terms of business processes or digital transformation. This allows you to address your Data Protection obligations in the manner that best suits you.
You may have all of this in hand and have internal resource to deliver the changes you need. If you don't have the capacity or expertise though, we can help. Our data protection services, on-going support and consultancy are here for you.
Fill out the form contact form or call us on 020 3691 5731 to explore further.