Search Knowledge Base by Keyword
Maintaining your data protection compliance
The GDPR’s “accountability” principle is clear that it is up to organisations to make sure they can demonstrate their compliance. This takes the form of various requirements from maintaining documentation, training staff and having data protection policies in place, but accountability goes much further than this.
Article 24 (“Responsibility of the controller”) goes further in explaining that Data Controllers need to ensure they put in place appropriate measures to uphold compliance and be able to demonstrate that compliance. But it goes on to say that these measures “shall be reviewed and updated where necessary.” This is reiterated in the ICO’s guidance which makes reference to this point also, indicating that “accountability obligations are ongoing” and that you “must review and, where necessary, update the measures you put in place.” Furthermore, the “GPEN Sweep 2018” study also reiterates the exception for organisations to self-audit/asses their ongoing compliance.
What’s not so clear in the Regulation or the ICO guidance is about what the frequency of these “reviews” should be. The best the ICO has to offer is that compliance should be reviewed at “appropriate intervals”. But, we do know, from the April 2018 ICO Charity Review, is that the ICO has the expectation that organisations should be able to demonstrate they carry out “routine” compliance checks.
With a lack of specific timeframes, it is our opinion that whilst data protection compliance will of course be maintained within an organisation at all times, an appropriate interval for a review is probably annually at least, and that such a review should include:
- A review of your data and data processing activities including a review of your third-party processor due diligence and lawful basis for processing
- A cross-reference with your approach/compliance with any changes in law, guidance or codes of practice
- Identification of any changes in your processing activities that might mean you now meet certain criteria that you didn’t in the past (e.g. the need to have a mandated DPO or documentation requirements for 250+ employees, etc.)
- Refresher training for your staff
- Ensure procedures are in place to deal with data subject complaints and queries
- Making sure your ICO registration is up to date
But as well as these annual reviews and refreshers you should also consider how else you can maintain (and ultimately demonstrate) that you take ongoing compliance as seriously as you did getting GDPR-ready for May 2018. The best way to do this is to consider your internal comms to your employees. This could mean rolling out monthly briefings based on a particular compliance topic (e.g. a focus on dealing with breaches, third-party due diligence, etc.) and/or the sharing information in team meetings.
Your reviews shouldn’t need to be as complex and detailed as perhaps they were when you were preparing for GDPR in May 2018, but you should document the outcome nonetheless so you have documented evidence you have reviewed and the outcome.