Tips on Demonstrating UK GDPR Compliance

Back in 2017/18, we saw many organisations creating a ‘task force’ or project team to address GDPR compliance in the run-up to the May 2018 deadline.  Most of these organisations typically disbanded their taskforce teams once they felt that compliance had been achieved, although some appointed a responsible data protection manager/DPO or compliance officer.  As with other compliance activities, we appreciate how difficult it is to maintain ‘good intentions’ as other business pressures/requirements take centre stage.  Equally, when the GDPR was launched, there was limited guidance available and, with the goalposts now having shifted slightly, some organisations may find that they are not as compliant as they originally thought.

What we do have now, is a British Standard, namely BS 10012, which provides a best practice framework for a personal information management system.   Whilst not an international standard, such as ISO 27001, or a complete model for the UK GDPR compliance, BS 10012 is aligned to the principles of the GDPR and a good starting point. However, this is not a quick (in the next few months type!) solution.

‍

So, what can you do now to demonstrate UK GDPR compliance?  A very practical approach is to arrange an external audit by an experienced GDPR/DP practitioner.  If structured correctly, this will not only verify your compliance status, but will provide you with valuable advice and insight into good practices adopted by other organisations.

A valuable UK GDPR compliance audit is not all about the DP/UK GDPR rules, it’s also about ensuring you are complying with your own policies, processes, and procedures i.e., the measures you put in place to establish UK GDPR compliance in the first place.

Here are some questions which should help you in determining your level of compliance with the GDPR

• Are you complying with your policies?
• Have you reviewed consent mechanism?
• Have you continued to evaluate third parties and their contractual conditions?
• Have you maintained your register of processing activities?
• Has your business changed at all and are your lawful grounds for processing still valid?
• Have you reviewed your data flows in line with any chances?
• Have you maintained your DPIA records and are you conducting DPIAs as and where required?
• Do you nave an effective mechanism in place for dealing with subject access requests?

‍