It is important to keep an eye out for changes in your systems or processes with regards to data storage. Organisations are not only expected to look for ways to anticipate data protection and privacy issues, but prevent them.
To ensure your company stays protected from risk, here are our 7 ways to check your data storage is GDPR compliant…
Understand the difference between data protection by design and default.
‘By design’ means that you should put in place technical measures and organisational systems that are designed to implement data protection and principles, and also integrate the safeguards into your processes.
‘By default’ means that you only conduct data processing activities if they are necessary to achieve a specific goal. It links to the GDPR’s principles of data minimisation and purpose limitation.
Privacy by design was considered good practice under the Data Protection Act 1998, but when new rules came into force with GDPR in 2018, data protection by design and default became a legal requirement.
It is not always easy to understand the rules around GDPR which is why it is so important that businesses continually check their ongoing compliance - even a small system change (such as new payroll system) might trigger the need for new policies, statements etc.
Understand who is responsible for data protection.
One of the GDPR compliance principles is accountability. This principle makes it clear the whole company is responsible for complying with GDPR and it must also be able to demonstrate its compliance. Larger businesses, particularly those who systematically process personal data, may employ a Data Protection Officer.
The ultimate responsibility lies with the ‘controller’ – the person (or body, authority, agency) that determines the purposes and means of the processing of personal data – if you make the decisions and exercise overall control (either as a sole director or as part of a board) you are ultimately responsible for both compliance and evidence.
Research what you have to do to comply.
As with many areas of compliance there is 'no one size fits all' solution here. Your business must put in place the measures that are appropriate that will effectively and safely guard individual rights.
What is key in this is that:
- Data protection is adopted at the start of any processing activity
- Policies and measures meet ‘design and default’ requirements (as above)
- Decisions and processes are suitably documented
- GDPR is a continuous practice - any new system change might have an impact on the organisation's overall status/compliance.
Identify where in your business data protection applies.
There are seven foundational principles can be used to underpin any approach you take and help identify where in your business you need to make provisions:
- Be proactive not reactive; preventative not remedial
- Choose privacy as your default setting
- Embed privacy into design
- Ensure full functionality – positive sum, not zero sum
- Think about end-to-end security – full lifecycle protection
- Be visible and transparent – keep it open
- Have respect for user privacy – keep it customer-centric
For more detail on these principles visit the ico.org.uk.
Put your understanding into practice.
Using the seven foundational principles you should be able to review the systems, measures etc that you already have in place and assess them for risk and compliance.
Once you have reviewed the measures that are appropriate to your business, it is good practice to create guidelines for the business, update policies and develop a set of practical actionable guidelines to which you and your staff can follow and adhere.
Create future compliance systems.
Now is the time to embed your good practice to continue protecting your business. Documenting any changes at board level and being aware of risks is key to ongoing compliance.
Keeping GDPR as an agenda item at board meetings ensures that you are continuously keeping it at the forefront of everyone’s mind. Equally, consider communication of GDPR compliance throughout your business too – for example, has GDPR continued to feature in your staff training since its launch in 2018? Have you welcomed new board members since your last review and did their induction involved GDPR training?
Using a tool such as our BoardSecure portal will ensure you have a secure, easy to use system that will keep all your GDPR documentation in place.
Keep up to date with guidance.
Last but not least, keep up to date with guidance.
The Information Commissioners Office has a handy UK GDPR’s fundamental principles and requirements checklist which is well worth reading - making sure that you are familiar with them and understanding the key components will help you in making the right decisions and embedding good practice.
You can also refer to the Guide to the General Data Protection Regulation information on gov.uk, which explains GDPR to help organisations comply with its requirements.
Read our blog ‘What is a cyber breach and how does my Board need to deal with it?.’
Read our blog ‘5 tips for improving your Board's skills’
Check out our BoardSecure portal.