Question 1: How would you describe your organisation's overall approach to GDPR Compliance?
A1: What is GDPR? I never heard of it.
A2: That is soooo 2018. That bandwagon has long been replaced by a newer one.
A3: Is this a serious question?
A4: We are 100% Compliant.
The Correct Answer: None of the above.
At least answers A1-A3 are honest answers! A4 is my own personal favourite. I always say anyone who thinks they are 100% compliant doesn’t understand compliance!
I hope your organisation has a programme in place and you are constantly working towards compliance. However, organisations don’t stand still and that makes compliance a moving target. As soon as you think everything is covered, something will change often prompting DPOs to leave the building in tears! Compliance is something that needs constant care and attention.
Question 2: When did you last complete a review of your data protection policy documents?
A1: Never, I don’t think we have any policy documentation.
A2: When GDPR came into effect in 2018 we bought a great set off the shelf.
A3: Just before our last DPO was seen running out of the building in tears.
A4: Every year we have a senior management signoff, but our documents haven’t actually changed since 2018.
The correct Answer: None of the above
Our understanding of GDPR has matured since 2018 and we have learned a few lessons about our policy documents. They are important internal documents. (Don’t confuse them with the “Privacy Policy” which the pedant in me feels compelled to point out is a misleading title for a “Data Protection Notice”). There is no “one-size-fits-all” so off the shelf is not a good look.
Develop good policies that are relevant to your organisational activities and refresh them annually. When completing your annual review, ask whether the contents are still relevant as your organisation and/or our understanding of the practical effects of the GDPR may have moved on.
Question 3: Do you know what a Record of Processing Activities is?
A1: It is a catalogue of horrors.
A2: Yes! I know that one. I’ve never seen one IRL though.
A3: No, but I am sure our DPO (who was last seen running out of the building in tears) knows.
A4: We keep ours locked in the safe with the company chequebook which is getting quite dusty since our banking went online.
The correct Answer: None of the above
A Record of Processing Activities (ROPA) does what it says on the tin. It records all the purposes for which you process Personal Data along with the lawful basis for each processing activity along with other important information about the processing. Its not the easiest document to create and maintain but it’s a very important document.
Aside from the fact that it’s a legal requirement, capturing vital information about the processing activities you are carrying out is the bedrock for all of your compliance efforts. For instance, this may be an obvious one, but unless you know what you are doing with Personal Data you can’t accurately inform data subjects about it.
Question 4: Do you take steps to minimise risks in your processing activities?
A1: We don’t have any risks. We are a risk-free zone!
A2: We outsource all our risks to our suppliers. They take all the risks, its what we pay them for.
A3: Well, we used to add them to the DPO’s to-do list before they ran out of the building.
A4: Yes, we have a risk register which we review every quarter at a meeting where there are coffee and scones and our GDPR risks haven’t changed since 2018 so we must be doing a great job.
The correct Answer: None of the above
GDPR looks for a risk-based approach to data processing and compliance. It asks that organisations processing personal data take into account the “risk of varying likelihood and severity for the rights and freedoms of natural persons”. While the GDPR requires that the data subjects are considered, risk to your employees or customers ultimately poses risks to the organisation be that reputational damage or material loss.
Organisations must understand their risks and take appropriate steps to address those risks by reducing the likelihood of them occurring and being prepared to reduce the impact if they do occur. That includes managing your suppliers if you have outsourced any of your processing activities.
Question 5: Have you completed an in-depth compliance evaluation for any of your high-risk processing activities within the past 12 months?
A1: A what now?
A2: We don’t know what our high-risk processing activities are.
A3: Our DPO suggested something like that just before the fateful day when they left in tears.
A4: Yes, we held a meeting and even brought coffee and scones. There are minutes on the server.
The correct Answer: None of the above
Theres no right or wrong answer to this one. Organisations must start their compliance journey somewhere and you need to be pragmatic. There is no point in completing deep dives if you haven’t got a compliance programme because you will be overwhelmed by the findings.
Once you do reach a level of maturity as an organisation focused compliance reviews will reduce the risks to your organisation and to your customers. They are very beneficial at weeding out the unknown unknowns that are lurking in the shadows and could catch you out at any time. Think of them as a powerful torch capable of digging into the dark recesses of your use of employees, customers, members or patients’ personal data.
Evaluating your answers
All A1s: My goodness you need begin at the beginning. We recommend you look at getting a data protection programme in place.
All A2s: In your favour, you have heard of the GDPR. You might even have done some work on your compliance in 2018. Time to dust off those folders and freshen them up to be 2024 ready. We still recommend you look at getting a data protection programme in place.
All A3s: Buy your DPO a box of hankies and then maybe start listening to what they are advising you. We promise you won’t regret it! Your DPO might need some help to get a structured data protection programme in place. This could be your gift to them in 2024.
All A4s: It sounds like you are trying to do the right thing, but the coffee and scones are distracting you and your efforts, while well meaning, are ineffectual. A bit more focus and structure will pay off dividends.
No matter what your answers, of course Fort Privacy can help! We offer a judgement free service from our team who can come in and help your organisation wherever you sit on your compliance journey:
- implement a structured approach to your GDPR Compliance by implementing the Fort Privacy Framework;
- provide longer term guidance and support through our Outsourced-DPO(O-DPO) service;
- provide support for your own in-house DPOs (before they are driven to tears!); or
- help more mature organisations complete focused compliance evaluations using our recently developed ToE Methodology.
All you need to do it … ask!
Marie Murphy
Marie's interest is in data protection operations focusing on people and process to manage personal data processing risk in large and small organisations with a special interest in privacy by design.