Undertaking an audit and gap analysis is the best start on your organisation’s journey to becoming GDPR compliant. It allows you to assess what information your organisation processes as a whole and to identify the steps you need to take to become compliant.
We provide a working report which can be updated as and when processes are complete. This is proof of accountability and shows evidence of working towards the Information Commissioner’s Office (ICO) guidance.
The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.
DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
A DPO can be an existing employee or externally appointed.
As part of our services, Chorus will.
- review and advise on privacy policies, procedures, documentation and 3rd party contracts
- oversee the establishment and maintenance of a personal data register
- oversee the mapping and documenting of the organisation’s processes
- advise on whether a data protection impact assessment (DPIAs) is required whenever a new process is implemented and oversee that DPIA
- provide guidance on data breach monitoring, management and reporting
- serve as the contact point to data protection authorities for all data protection issues
- serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests
- facilitate GDPR awareness training and the training of staff involved in data processing operations
- reports for senior management to ensure corporate governance of the regulation and DPO attendance at one Board meeting per term
- monitor compliance with the GDPR
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing.
It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- to assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
- you should consult your DPO (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
- if you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
A fundamental part of your GDPR compliance project is understanding what personal information you are collecting and processing.
Article 30 of the GDPR states that organisations must maintain a record of processing activities under their responsibility. That record shall contain all of the following information:
a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
b) the purposes of the processing;
c) a description of the categories of data subjects and of the categories of personal data;
d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation.
f) where possible, the envisaged time limits for erasure of the different categories of data;
g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
The controller or the processor shall make the record available to the supervisory authority on request.
Privacy notices tell people what to expect the organisation to do with your personal information when you make contact with them or use one of your services.
They should include:
- why you are able to process your information
- what purpose you are processing it for
- how long you store it for
- whether there are other recipients of your personal information
- whether you intend to transfer it to another country, and
- whether you do automated decision-making or profiling.
Article 24 of the GDPR, states that processing activities shall include the implementation of appropriate data protection policies by the data controller.
Policies differ from procedures, as they are high-level documents that set principles, rather than details of how, what and when things should be done.
- be capable of implementation and enforceable;
- be concise and easy to understand; and
- balance protection with productivity.
The data protection policy should specifically include the following key elements:
- topics covered by the policy;
- reasons why the policy is needed;
- contacts and responsibilities;
- objectives; and
- how to handle violations.
Companies share personal data with third parties all the time, but can they be trusted? The GDPR makes it clear that organisations are accountable for data breaches caused by third-party service providers or processors.
Given that third parties pose such a large security risk, organisations need to protect themselves.
When reviewing your agreements with third parties:
- never assume your third-party suppliers are compliant with GDPR no matter what the size of the company is.
- clearly define all of the areas and activities in which GDPR is in scope, and have your third-party vendors agree and provide signed contractual assurances they are working towards compliance.
- agree that your third-party vendors will not outsource any GDPR-relevant scoped services without written approval.
- do your due diligence and regularly audit your third-party vendors’ processes.
- know where your third-party suppliers are located, and where data is being transferred.
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
A key element of any organisation’s GDPR compliance framework is staff awareness and education.
Guidance from data protection authorities emphasises the importance of making staff aware of the Regulation and for organisations to start integrating this into their compliance project.
Without an effective staff awareness programme, your organisation runs the risk of breaching the Regulation, which can have serious consequences.