Demonstrating compliance with the UK GDPR – the 12 steps – Part 1

Thumbs up illustration

Obtaining an understanding of any piece of UK legislation, so that you can ensure compliance within your organisation, is important.

Before UK GDPR took effect the Information Commissioner’s Office (ICO) produced an infographic that contained 12 steps which organisations should take to prepare for its introduction. It was and remains a useful approach for determining your compliance status and can be used to structure policies and procedures.

Over the next 3 months we will help you to consider the tasks and questions you need to have in mind to align your organisation with the 12 steps.

1. Awareness – Decision makers and other key people in your organisation should be aware of UK GDPR and its implications for the organisation. An internal communication strategy needs to be in place so that awareness and training is circulated throughout the organisation. Cyber security training can be integrated with data protection and UK GDPR training. Testing knowledge is another aspect of awareness, along with regular refreshing of that knowledge.

2. Information you hold – You should document what personal data you hold, where it came from and who you share it with. This should also include the categories of personal data being processed. Identifying which entities fall within the scope of UK GDPR for your organisation. Identifying the high-risk databases, those containing payment details, or contact details, and high-risk data flows is a crucial step in the documentation of the information you process.

3. Communicating privacy information – Put a plan in place for drafting appropriate privacy notices for information sourced directly and indirectly. Where these already exist, they should be reviewed to ensure they are fit for purpose. Article 30 requires each company that is a data controller under the scope of the UK GDPR to maintain ‘Records of Processing Activities.’ These records should show why and how data is being processed.

4. Individual’s rights – You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. A Data Subject Access Request (DSAR) is a submission by an individual (data subject) to an organisation for access to the personal information that is held about them and how it is being used. Do you have a procedure for responding to such requests?

Woman with lock and key illustration

The ICO website says: “Accountability is one of the data protection principles – it makes you responsible for complying with the UK GDPR and says that you must be able to demonstrate your compliance. Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place. If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.”

Following the initial four steps we have discussed above, and the remaining eight we will cover over the next two months, will act as a guide to creating the culture of privacy that the ICO refer to above. The other key point from the ICO is that “accountability obligations are ongoing”.

By demonstrating ongoing compliance with the data processing principles and practices of the UK GDPR you will build that culture of compliance.

CSRB has a simple mission. To be clear and open about personal data protection. What you need, why you need it and what you are legally required to do. We will help you manage and protect that data responsibly while taking the jargon out of the process. Get in touch with us here or call 0117 325 0830 to learn more about how outsourcing your Data Protection function to us.