Over the last two blogs we have been examining the 12 steps which organisations were advised to take to prepare for the introduction of GDPR.
This time we will look at the final four steps in the process:
9. Personal Data breaches – Organisations need to have the right procedures in place to detect, report and investigate a personal data breach. You will need to have created an incident response plan to report any data breaches. These will need to be integrated with existing customer service and business continuity processes.
Employees will need annual training to understand the implications of a personal data breach, how to respond and who needs to be informed.
CSRB strongly recommends having an internal Personal Data Breach Policy and scheduled annual training for all employees, as the timeframe for reporting a data breach is often only 72 hours (including weekends and bank holidays).
10. Data Protection Impact Assessments (DPIA) – A DPIA is a process to help you identify and minimise the data protection risks associated with a project. To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals rights and freedoms from the processing of personal data.
The Information Commissioner’s Office (ICO) website includes some useful checklists that can assist with identifying the risks to personal data processing.
DPIAs need to be carried out by data controllers with professional advice sought from the organisations Data Protection Officer (DPO).
11. Data Protection Officer (DPO) -. Organisations need to consider whether they are required to formally appoint a Data Protection Officer (DPO) and assess where a DPO would sit within their organisational structure and information governance arrangements. It is strongly recommended that even if you are not legally required to appoint a DPO, you appoint one voluntarily, as this offers many benefits to the organisation, its employees and customers.
CSRB provide a number of outsourced DPO support packages tailored to the organisation and relevant market sector.
12. International Transfers – UK GDPR restricts transfers of personal data to a separate organisation located outside of the UK, unless the rights of the individuals in respect of their personal data is protected in another way (e.g. appropriate safeguards such as risk assessments or adequacy decisions).
This is a complex area and the subject of a previous CSRB blog by itself. If your organisation ever transfers data out of the UK, then talk to CSRB to understand the latest data controller responsibilities and the potential risk this could pose to the data subject and organisation.
The twelve steps detailed throughout this blog and the two previous blogs will help fulfil your compliance requirements for accountability under UK privacy legislation.
The other critical area to be aware of is the need to communicate your data protection strategy to employees, and anyone else associated with your organisation who may be affected by your data protection procedures, such as third parties.
This takes us right ack to step one, where we said “An internal communication strategy needs to be in place so that awareness and training is circulated throughout the organisation. Recording completion and testing knowledge is another aspect of awareness, along with regular refreshing of that knowledge.”
CSRB is a certified personal data protection online training provider. We have a simple mission. To be clear and open about personal data protection. What you need, why you need it and what you are legally required to do.
We are committed to providing high quality online training that guides individuals through the requirements laid down by the UK GDPR and the regulator, the ICO.
Please get in touch with us here or call 0117 325 0830 to learn more about how we can support your journey to data protection compliance.