Data is a constantly evolving entity and maintaining your ongoing compliance with GDPR requires you, amongst other responsibilities, to keep an up-to-date record of your personal data processing activities, also known as your GDPR Article 30.
For almost a year however, things on the GDPR front were somewhat quiet. Six months after the deadline, a Deloitte survey showed that only 33% of companies planned to continue investing in embedding privacy.
Before the deadline struck, the business world went into overdrive. In their attempt to demonstrate compliance before May 28th 2018, organisations scrambled to identify their data, map personal data inventories and blast out endless emails to customers asking them to ‘opt-in’. On average, British companies spent £1.3 million to ensure their GDPR compliance.
The deadline hit and…
For months, nothing really happened. The hype started to subside and people wondered whether the Information Commissioner’s Office (ICO) was bluffing with its threat of 4% fines.
The thing many thought would never happen, did happen. Two significant fines were slapped on British Airways and Marriott in quick succession, totalling nearly £300m. It was a stark reminder of how serious the GDPR is, and a demonstration that the ICO means business.
And given the ripple effect of the fines imposed so far, organisations are once again making a priority of getting their GDPR house in order.
The trouble is, if you are revisiting your processes, how do you know whether they are good enough?
To help provide that clarity around what you need to do to review and improve your record of data processing activity, we’ve created this helpful template…
With a list of the data you hold, it’s time to establish the rules for processing that data. These rules can broadly be split into 3 categories:
To create these rules, analyse your personal data inventory above. Think about the types of processing that could pose privacy, security, and business risks to your organisation. And write them down in prose form, as shown below:
Don’t feel like this initial list has to be exhaustive. Start by highlighting the highest risk rules first and figure out how to prioritise and enforce them. This initial work then forms the basis for you to justify your monitoring and compliance activities.
The GDPR places emphasis on implementing ‘comprehensive but proportionate’ controls to monitor and protect personal data.
The simplest way to do this is to list out your rules for managing personal data (that you identified above), and then write down your ideal monitoring controls. Following that, list what you do currently. Once you have your ideal controls you can document the difference, and create a roadmap for closing the gap between the two in the future:
As with all GDPR processes, your record of data processing activities needs to be constantly reviewed, and periodically updated. But actioning and monitoring your data is hard if you are relying on manual methods only.
Our research indicates that managing personal data only becomes more complex as your business grows bigger. Over half of organisations with more than 500 employees identified over 50 personal data processes, increasing to 1,000 processes when there are over 1,000 employees.
Trying to manage that manually means that you’re never going to have an accurate picture of the data you hold (Step 1), or know when your data processing rules are broken (Step 2).
Therefore, deploying technology that understands and helps your organisation manage your data is vital if you’re to remain compliant with GDPR, since it allows you to:
Compliance monitoring is easier with intelligent information discovery technology
Why don’t you set up a time for one of our experts to give you a demo that’s relevant to your business challenges and we will show you how Exonar can help?
“Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.”
Dave Parker, Group Head of Data Governance, Arrow Global