Accountability is one of the key principles of GDPR, requiring data controllers to demonstrate compliance on an on-going basis. The key is to provide evidence that privacy & data protection have been considered in activities involving personal information, and that risks are appropriately managed. Moving forward, privacy & data protection should be in the DNA of your organisation.
For those organisations without dedicated data protection resource, this can be a challenge. Although they may consider themselves to be compliant, in reality many have compliance artefacts in place but are unable to evidence they are being used or managed. This can present an issue if business customers require assurance to demonstrate compliance, as it cannot be provided if accountability cannot be demonstrated.
To help clients address these issues we have developed a range of propositions to help support the requirements of accountability. Our health checks provide the tools to validate or assure compliance, either holistically or taking a more focussed approach. Alternatively, DP Assure offers a different approach to more traditional consulting.
Privacy & Data Protection Health Check
Under GDPR, organisations must be able to demonstrate compliance on a regular, on-going basis. In practice, as statutory codes of practice are introduced, this will need to cover other legislation, such as the Privacy & Electronic Communications Regulation (PECR). Having a holistic understanding of your compliance stance for privacy & data protection as a whole is becoming increasingly important.
As data controllers it is critical that you not only consider accountability from an internal perspective, but also when appointing data processors. You are responsible for ensuring commitment to compliance across your supply chain.
Our privacy & data protection health check takes a holistic look at privacy & data protection compliance across your organisation and its supply chain. This will provide an understanding of compliance with relevant legislation / statutory codes of conduct, identify gaps in existing activities and provide a set of prioritised recommendations to address issues.
The output from this work can be used to validate your internal compliance or as means of demonstrating compliance to business customers.
PI Security Health Check
GDPR requires that you regularly test, assess and evaluate the measures that are in place to secure processing activity, from both organisational and technological perspectives. In practice, a testing regime should be part of your operational activity, but assessment and evaluation will be conducted separately.
Our PI security health check focuses on assessing and evaluating the processes that you have in place to securely process personal information. Our review ranges from looking at how well the personal information under management is understood, access controls, your approach to data protection by design in system development, testing regime, breach response procedures and the governance that surrounds these activities. The findings will then be presented in a report that identifies compliance by area and a set of prioritised recommendations for any remedial actions that are required.
This work can be used to validate internal data security compliance or can form a cornerstone in demonstrating GDPR compliance to third parties
Data Protection by Design Health Check
Data protection by design & default is a foundation stone of accountability. It involves considering privacy at key points through product and service lifecycles, enabling to create an audit trail of relevant decisions taken and changes implemented. This is a key component of demonstrating accountability.
Embedding it across your organisation will not come from a single consulting engagement, it should be a process of continuous improvement. The question is where to begin.
Our health check engagement we will provide you with:
- An understanding of which processes should encompass data protection by design;
- A gap analysis by process;
- A set of prioritised recommendations;
- An action plan to achieve compliance.
This will provide you with a baseline for data protection by design and default, allowing you to put in place an improvement plan to reach your end goal.
Data Subject Rights Health Check
Individuals have a range of data subject rights under GDPR - all of which must be responded to within 30 days. Should an organisation fail to meet these timescales there are impacts – repeated infringement could result in regulatory intervention or fines. Additionally, there will be a loss of customer confidence.
Balancing the cost of responding to data subject requests with compliance responsibilities, can be a difficult balance to strike. The challenge is to make them as efficient and effective as possible.
To help clients strike this balance we have developed a data subject rights health check that will provide you with:
- An understanding of which data subject rights are applicable by legal basis for processing;
- An assessment of the effectiveness of data subject request processes;
- A review of relevant governance, issue resolution and training to support data subject requests;
- Recommendations as to efficiency improvements that could be made;
- A set of prioritised recommendations tailored to your organisation.
This work can be used for internal validation of your response processes, identify activities for
improvement or form a key cornerstone in evidencing GDPR compliance.
We created DP Assure as a serviced based approach to providing privacy & data protection advice to our clients. Our aim is to be an extension of your team, acting as a trusted advisor. By getting to know you, we will be in a better position to offer you pertinent and timely advice.
Accountability requires you to evidence your data protection compliance on an on-going basis. This involves embedding data protection into the DNA of your organisation, allowing you to evidence decisions taken or changes implemented. In our view, this objective is best achieved through an iterative, supportive approach rather than a one-off consulting engagement. As part of DP Assure we get to know your organisation, providing access to expertise that can be used to guide and support you to achieve accountability.
In addition, as part of the service we conduct an annual privacy & data protection health check, allowing you to either assure or validate your internal compliance.
This is an alternative approach to a conventional consulting engagement, providing you with a cost-effective approach to addressing regulatory change.
If this sounds interesting, see DP Assure for more information.