As the official season of goodwill to all mankind draws to a close I was encouraged to hear the UK Information Commissioner’s message, bringing GDPR hope and positivity to us all…
“If you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.”
GDPR is for life, not just for May 2018
Myth 9 in the ICO’s GDPR myth busting blogs series has confirmed what we’ve understood for some time, the General Data Protection Regulation will not signal the end for many small businesses as the harbingers of doom (aka snake oil salespeople) would have us believe.
We know for certain that there will be no ‘grace period’ allowing organisations time to get it right…why should there be? We’ve had 2 years to prepare!
It’s also clear that this is not a case of purely being compliant, in tickbox fashion, by the deadline.
GDPR is for life, not just for May 2018, and will require “ongoing effort” to ensure the culture of data privacy and good practices live on.
But there is no reason to lose sleep…the ICO delivers peace, goodwill and hope…
‘Fair and proportionate’ data protection regulator
“Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action. That means being able to show you have been thinking about the essential elements outlined below and who is responsible for what within the business.”
The article goes on to explain…
By now you should be putting key building blocks in place to ensure your organisation implements responsible data practices:
- Organisational commitment – Preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public has a right to know what’s happening with their information.
- Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third-party processors to ensure they’re fit for GDPR.
- Implement accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment.
- Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks
- Train Staff – Staff are your best defence and greatest potential weakness – regular and refresher training is a must
No “off-the-shelf” solution can promise GDPR compliance
But how to put all this in place in time to meet the May 2018 deadline?
It’s true, no one company or software solution can do this for you, no matter what their marketing material may say.
The responsibility for compliance lies with you as the data controller, processor, or both.
However, there is a solution that can make it a whole lot easier to not only prepare for compliance but manage it on an ongoing basis.
ISMS.online will ensure you can demonstrate commitment, accountability, and transparency, will give you a tool and process to understand what information you hold, and allow you to carry out Data Protection Impact Assessments and evidence the required policies and procedures are in place.
You’ll be able to follow ISO 27001 aligned policies for the required information security functions, including risk management and incident management and Adapt pre-configured training resources, policies, and processes for evidencing staff have acknowledged and accepted them.
Demonstrate these key GDPR building blocks are in place and you are well on the way to satisfying your ‘Fair and proportionate’ regulator.
Want to find out how ISMS.online can help?
Not ready to get started? Subscribe to receive more articles like this.
The information in this blog is for general guidance and does not constitute legal advice.