GDPR has been in effect since 2018. That should mean all organisations are fully GDPR compliant and have a firm understanding of what the regulation means for them. At the same time, the stakes for failing to comply have never been higher. The EU recently handed Amazon a £636 million fine for processing personal data in violation of GDPR rules. Considering this high-profile reminder of the large potential costs of failure, here are a few tips on how to ensure compliance.
Support your Data Protection Officer (DPO)
Organisations have now decided whether or not to hire a DPO. This individual monitors compliance, advises on company obligations, and acts as a contact point between data subjects and the relevant regulatory authorities. It is important that they are able to act independently from the organisation. GDPR sets out guidelines for whether your organisation is legally obligated to have one, which comes down to the scale of the organisation, type of data being processed and whether the organisation is a public body.
Some organisations have appointed an internal DPO, while others have sought external expertise. One benefit of external DPOs is that they have immense experience and will stay up to date with any new regulatory requirements, so will require less investment from the client organisation. Regardless, your DPO will require support from the wider organisation. It is essential to have a compliance roadmap — a strategy detailing how data processing meets guidelines across departments and jurisdictions — so that companies have a clear picture of regulatory responsibilities. Of course, your IT department will play a vital role in supporting your DPO by ensuring they have access to the data they need, and sometimes assisting in DPO duties. Here is a quick rundown of what those duties might involve.
Specific data protection tasks
Data discovery: this refers to establishing exactly what kind of data your organisation collects and stores. Often, this involves conducting privacy impact assessment surveys on as many employees as possible. Encouraging your employees to fully participate in this process and being completely transparent will help your DPO understand your data processing requirements and any potential privacy violations.
Data mapping: your DPO will also create a map to keep track of where your data goes in your company, and where it might be shared with external organisations. It is an important aspect of data protection to prevent any data leaving the company without being fully accounted for and therefore reduces the potential for a security breach.
Data cataloguing: this is an inventory of all the organisation’s data. A good catalogue provides context and metadata for each data asset — similar to a Wikipedia entry, detailing what the asset is, who has access, updates and more. This is particularly helpful to demonstrate an organisation is taking data protection seriously, and to facilitate any data requests.
Your organisation can support your DPO in these tasks by being open and transparent about how data is handled. However, in some organisations with masses of data, attempting to organise this information is an uphill battle. If this is the case, your organisation may need to invest in further tools such as automation. For example, last year, Microsoft launched Azure Purview, a data governance platform to automate data discovery, mapping and cataloguing. There are numerous other data governance solutions that utilise AI and ML to make the process as efficient as possible, allowing large organisations to scale up to their data needs, and organisations without an official DPO to gain insight into their data.
Hopefully, this post has clarified the role of your DPO, and how your organisation can support them. Data privacy compliance is a top priority for companies, especially as the amount and complexity of data we collect increases. Making sure your DPO (or other data privacy staff) has what they need is the best way to avoid a costly compliance mistake.