Are you still GDPR Compliant?
Posted 6 years ago
“Another GDPR blog? When will it end?!”, I hear you cry. “The GDPR deadline was almost a year ago, we’ve spent so long scrabbling around, updating our Privacy Policy, sending out consent forms and Data Processing Agreements, surely that was the end of it?”
My response to that is to laugh, and then cry a little bit. There’s never an end to the GDPR, not now, not ever. You’ve spent the early stages of last year tidying up, ready for the arrival of the GDPR but now it’s moved in, is sleeping on the sofa and has eaten all the cheese. Love it or loathe it, the GDPR is a permanent resident in your life, and you need to keep it happy.
All that time you spent making sure you were compliant for 25th May was important, but it was only the first step in a lifelong journey.
So, now that I’ve ripped off that plaster of hard truth you need to ask yourself a question – are we still GDPR compliant? Here are some things to consider.
Let’s assume that your organisation was 100% compliant by the time the GDPR kicked in; you’ve updated your privacy policy, sent out privacy statements and consent forms, and implemented processes for safely recording, storing, altering, deleting, and giving access to all the data you hold. You’re happy and satisfied that you’re compliant after months of hard work, but who else knows what you’ve done?
If nobody else knows about the changes you’ve made, you might as well have not made them. Raise awareness within your organisation, tell people what you’ve done and made sure they understand what they need to do now.
It’s also crucial that everyone understands the importance of compliance; we all prioritise our tasks when we’re pressed for time, so make sure you reinforce the idea that GDPR compliance is not a corner which can be cut. Getting staff to take GDPR training is vital when it comes to equipping them with the knowledge and the motivation to be GDPR compliant.
But it’s not just staff awareness you need to worry about, you also need to make sure you’re aware of the data held by your organisation.
Before the GDPR came into effect you should have drawn up a data map that showed the entire life-cycle of data within your organisation, from the moment you got it to the moment it was deleted. This was an invaluable part of the compliance process as it let you know what data your organisation held, where it came from, whether you had a lawful reason for holding it, and whether you still needed it.
But what about now? Do you know what new data you’ve picked up? Will you know in a year’s time? Two years’ time? If someone calls up asking what data you hold on them, or how and why you have it, you need to be able to answer them.
The need to take stock of all the data you hold is ongoing. You should have regular data audits to keep on top of what you hold and trim away anything unnecessary.
And if somebody does ask about their data, how do you check that they are who they say they are?
The GDPR makes a big deal out of making sure people have access to their data and can delete, alter, move and access a copy of everything you hold on them. In your attempts to make this happen, it can be easy to overlook the security of that data.
Do you have processes in place for checking the identity of a person? Do you have passwords? Memorable dates? Security Questions?
Here’s a hypothetical situation: you’re an organisation which offers B2B services. One day somebody you don’t know calls you from a client organisation claiming that the old contact has left, that they’re the new contact and they want access to the data you hold. They don’t have any passwords or memorable information to hand because the last person left without handing them over. What do you do?
These are just a few of the things you need to consider as we go forward, and it demonstrates the importance of GDPR training. There’s a lot to think about and that isn’t going to decrease just because the GDPR deadline has passed. If everyone is aware of what needs to happen, then everyone can help you be GDPR vigilant.
GDPR Refresher Training
After releasing our GDPR Essentials and GDPR for Managers courses just over a year ago, we’ve helped almost 200,000 people towards compliance with the legislation.
So, this February, we decided to release our GDPR Refresher course for those who have already got a strong understanding of the legislation but need to refresh their memory and to re-test themselves on the GDPR basics.
Interested? Start your free no-obligation trial to any of our courses today!
James Kelly
Senior Scriptwriter
Related articles
Opt-in to our newsletter
Receive industry news & offers