Does your business need a GDPR Health Assessment 2 years on from GDPR?
23 June 2020
25 May 2020 marked the 2nd anniversary of the GDPR coming into force. As anniversaries are for some a moment for reflection, it is not surprising that organisations are now checking in on their respective compliance profiles to consider what (if any) improvements can be made.
Although many organisations have invested large amounts of time and money into their data & privacy compliance, many are still unsure about precisely where they stand on this crucial matter and where they should now be focussing their attention.
This short article sets out at a high level some of the key trends we are seeing when it comes to organisations’ data protection compliance and where, in our view, organisations are going wrong.
Technical to operative compliance – by and large, many organisations are able to demonstrate a good level of technical compliance with the regulations, having model processes and policies in place; at least on paper. The pitfall comes with putting these into practice, ensuring that what is written on paper is carried out in reality, thereby also achieving operative compliance. For example, a business may have a perfectly-drafted privacy policy that it sends to all of its customers, but if the people within the business are not given sufficient knowledge both about what “data & privacy” really means; and what personal data is being collected, stored, and processed, and for what reasons, this poses a significant GDPR operative compliance risk despite on the face of it showing technical compliance.
Lack of knowledge, governance and training – this leads on naturally from the shift from technical to operative compliance. If there is no proper governance framework in place and the policies and processes of a business are not sufficiently disseminated to the workforce, or made available in a manner that is easy to use, this is a huge barrier to achieving a good compliance profile. Organisations need to be carrying out effective and evergreen (yearly is recommended) training that is relevant to the roles of those being trained, and for data privacy principles to be communicated at all levels of seniority. In our experience, as an example, breaches regularly occur when people and teams are unaware of what they should be doing to ensure compliance. For training to be effective, it has to be user-friendly and understandable in real life terms.
Lack of key documentation – although we mentioned above that by and large many organisations demonstrate a relatively good level of technical compliance, there are those organisations that are still missing key documentation to evidence their compliance. For example, many organisations do not appear to have a process for carrying out for data privacy impact assessments and as a result carry out high risk processing without having any obvious mitigation steps in place. Equally, although an organisation may know how to react to a data breach, if it does not have a formal process in place and limited documentation to record the decision-making process, this is unlikely to bode well in the event of an investigation. Although cumbersome, written documentation is the first thing a regulator is likely to ask for, and something that organisations should have ready and waiting.
Lack of privacy by design – PdD requires businesses to consider privacy issues at the outset and throughout the development of products, services, and processes that involve processing personal data. We have seen that even 2 years on from GDPR, often privacy matters are still ancillary to the design process, or even tacked on at the end of a development cycle. This raises the possibility of potential risk factors being missed or not sufficiently addressed, which would be difficult to properly explain to a regulator, and more time and resource-heavy to rectify after the fact.
Data subject rights requests – to put it simply not many organisations have got the balance right between dealing effectively and efficiently with DSRRs and also spotting higher risks requests that might need more time. This has led to two fold risks – first, faced with a sudden inundation of rights requests, some businesses have found their organisational and technical measures in place to deal with them to be lacking or even non-existent, leading to missed deadlines, ICO complaints, and increased regulator scrutiny; and second, even those organisations who can handle a high volume of requests are too often applying a blanket one size fits all approach when it is not appropriate (e.g. 1000 consumer subject access requests are likely ripe for automation, whereas a workplace subject access request in the context of litigation requires far more thought and attention).
How we can help?
The above are just a number of areas to focus on, and Lewis Silkin has put together a comprehensive and cost-effective way for organisations to check their GDPR (and security) compliance profile and to ensure their compliance journey is on the right track.
Our Data & Privacy team have significant experience of helping a variety of businesses mitigate data risks through full scale data protection audits. Drawing together the core elements of an audit, but avoiding the cumbersome and disruptive audit process, our LS GDPR Health Assessment service starts by asking the right questions to gain an understanding of your business before providing you with a compliance score, as well as a suggested strategy to help maintain or achieve a better level of compliance.
We can then work collaboratively with you to implement the suggested remediation actions through updated documentation, provision of training and guidance notes, and practical assistance to implement processes to ensure that policies are followed and records are maintained.
While we focus on legal compliance, we can also offer clients security assessments in partnership with our third-party partners through sophisticated software tools that help to identify any internal and external vulnerabilities in your environment.
For more information on our LS GDPR Health Assessment service, including costs, please contact Alexander Milner-Smith or Bryony Long.