The GDPR created the obligation for organisations to demonstrate compliance with its rules. Unfortunately, the GDPR offered little practical guidance on how, exactly, to demonstrate compliance. To help, here are our top 10 tips that organisations should consider when thinking about how to demonstrate compliance.
1. Record everything
When making decisions about how to handle personal data, the first rule is to record the rationale behind those decisions, so that you can evidence what was the thought process around how you would comply with the GDPR.
2. Assess whether you need to appoint a Data Protection Officer and record your final decision
This should consider all jurisdictions where you operate, as DPOs are not just required under the GDPR, but also the Brazilian Data Protection Law.
3. Make sure you are reporting on compliance to the highest management groups in the organisations
To have a strong framework, you need to have effective privacy governance, and to institute regular reports to your board, executive teams and/or audit committees.
4. Identify the types of personal data you hold and about whom they relate to
Do you have employees’ data, customers’ data, suppliers’ data, patients’ data, bank account holders’ data, etc.? Do you have criminal records data, or health related data?
5. Appoint accountable senior stakeholders per type of personal data
For effectiveness, and to implement a from-the-top-down culture of compliance, it is advisable for the accountable stakeholders to be business leaders, not your privacy or legal team. You may decide to appoint certain personal data owners for health data and others for bank account data; or base them on the type of individuals to whom the data relates.
6. Holistic governance
Connect your privacy governance measures with your data governance, infosec and compliance and risk structures. This is a long journey and there is no point in doing it alone or reinviting the path. You should also consider including privacy as part of your ESG reporting.
7. Define how will you identify compliance gaps in the future, and what you do with them
Whilst it is critical to be able to identify where things have not gone very well, with controls and regular check-ins, there is no point in having a risk register without doing anything about the risks identified! Think about it as a continuous improvement journey.
8. Think about how to get the picture on the box
It is too easy to separate business as usual from compliance checks, but it is the business-as-usual activity that will give you the compliance picture. Running costly, time-consuming and time-restricted data protection audits whilst ignoring several minor delays in responding to data requests is not giving you the best picture on the box.
9. KPIs, SLAs and metrics
Do you know how many data requests you received? And how many have delayed responses? Do you know how many responses can be delayed and why? Use all the tools at your disposal to build these–it doesn’t have to be a costly vendor product, sometimes all it takes is a good old-fashioned Excel spreadsheet.
10. Keep it simple
When reporting on compliance, be like an iceberg–keep the heavy lifting out of the boardroom, and report in a simple and, ideally, visual manner. Remember: nobody knows, or wants to know, as much as you on compliance.