Tips from URM – How can I demonstrate GDPR compliance?
The easy way (if it was available!) would be to certify to an approved GDPR certification scheme. The EU has stated that ‘Member states, supervisory authorities (such as the Information Commissioner’s Office in the UK), the European Data Protection Board (EDPB) and the Commission will promote certification as a means to enhance transparency and compliance with the Regulation’. Right now, unfortunately, such a scheme does not exist. The EDPB has published adopted guidelines on certification and the identification of certification criteria with comments requested by the end of March 2019. Given that comments will need to be reviewed, decisions made, guidelines made available, possible schemes considered etc. etc. etc. – we’re not anticipating a scheme being released soon!
What we do have, however, is a British Standard, namely BS 10012, which provides a best practice framework for a personal information management system. Whilst not an international standard, like ISO 27001, BS 10012 is aligned to the principles of the EU GDPR. Whilst this is not a complete model for GDPR compliance, it is a good starting point. However, once again, this is not a quick (in the next few months type!) solution.
So, what can you do now to demonstrate GDPR compliance? A very practical approach is to arrange an external audit by an experienced GDPR/DP practitioner. If structured correctly, this will not only verify your compliance status but will provide you with valuable advice and insight into good practices adopted by other organisations.
What we saw back in 2017/18 was many organisations creating a ‘task force’ or project team to address GDPR compliance in the run-up to the 25 May deadline. Most of these organisations have typically disbanded their taskforce teams once they felt that compliance had been achieved, with some of them appointing a responsible data protection manager/DPO or compliance officer, often depending on the sector they operate in. As with other compliance activities, we appreciate how difficult it is to maintain ‘good intentions’ as other business pressures/requirements take centre stage. Equally, when the GDPR was launched there was limited guidance available at the time and, with the goalposts now having shifted slightly, some organisations may find that they are not as compliant as they originally thought.
A valuable GDPR compliance audit is not all about the DP/GDPR rules, it’s also about ensuring you are complying with your own policies, processes, and procedures – the measures you put in place to establish GDPR compliance in the first place.
If you’re not sure about your responses to some of the above questions and you are seeking the peace of mind or you are looking to demonstrate your GDPR compliance to customers or stakeholders, then arrange an external compliance audit. Contact URM now to organise this.