The scope of the GDPR is different for every organisation. As a provider of GDPR readiness services, we speak to companies within the same industry whose GDPR compliance roadmaps are completely different. Nonetheless, all organisations need to foster a privacy culture. How does an organisation achieve this? We’ve listed 6 best practices that should form part of your compliance preparations and which can help improve your privacy culture:
- Create a data map. Data mapping will help you understand the data you process in your business day-to-day. A data map should be created by speaking to staff in each of your departments and ask them what data they handle or are exposed to. You might think you already know this but you will be amazed at how many ‘shadow processing’ activities take place. A good starting point is a ‘flat file’ data map, using a spreadsheet, rather than a visual map. As you map the date, start applying the 6 data protection principles set out at Article 5 of the GDPR. This can then form the starting point for your processing records as required by Article 30.
- Create a data flow map. A data flow map is a visual representation of how personal data moves through your organisation. We call this the data lifecycle. It is important to clearly show in your data flow map where you are receiving the personal data, the points of contact or processing activities performed with it and where you are sharing the personal data. The key to a successful data flow map is detail, so don’t be afraid to annotate, colour code or use any other visual aids to help you.
- Create or formalise your breach incident response processes. No one wants to be on the receiving end of their personal data being lost, stolen, damaged or destroyed so have a process in place to deal with these situations as soon as they arise. Make sure that employees are aware of these processes and when they apply. Check they know what a breach or an incident ‘looks’ like. Build resilience into your processes – if a key person is sick or on leave then you need to have someone responsible and employees should know who it is.
- Perform privacy risk assessments. GDPR requires you to perform formal Data Protection Impact Assessments (DPIAs – sometimes called Privacy Impact Assessments or PIAs) in certain circumstances. Even if they aren’t mandatory, a PIA will help you recognise and manage the risks associated with your processing activities. They also help show accountability and are data protection best practice. If you are planning a new processing activity (such as moving to a new cloud based CRM solution) then perform a PIA. Integrate the PIA process into your projects lifecycle and make them a first step to perform. This also helps show you are applying data protection by design.
- Perform regular data protection awareness training for all employees. How often do you currently provide data protection training? If you ask employees to sign a statement saying that they will abide by the company’s data protection policy have you really done enough? The answer is no. Regular on-going data protection training is key to ensure staff understand their responsibilities within the context of your business. The ICO recently issued an enforcement notice on Medway Council requiring them to perform mandatory data protection training and ongoing refresher training following a previous investigation.
- Create compliance documentation. In addition to other records, create a compliance document of suite of documents to show that you recognise your obligations and the steps you are taking to meet them. This helps creates an ‘audit trail’ and can be used to keep risks and governance activities under review as part of an ongoing lifecycle. You can link this to your formal Personal Information Management System (PIMS) or Information Security Management System (ISMS) if you have implemented these.
Data protection by design and by default is a core element of GDPR and once you have implemented the right controls and procedures, data protection can become a cornerstone of your business operations. It can also help create a privacy culture within your organisation. These steps will help you start to foster that culture change and apply a data protection by design mindset in the business.
Author: Joe Gaunt
Joe is an information governance consultant with Cybercrowd. He specialises in data protection, GDPR readiness and information security.