Step 5: Monitoring
Data compliance register
At the end of the process you should compile a data compliance register – a suite of documents which evidences the different steps you have taken to achieve compliance.
Having reviewed your existing contracts with suppliers, you should ensure future contracts (and systems) are GDPR compliant. You will need to factor GDPR compliance into your due diligence process and where possible, ensure that any risks are mitigated.
Subject access requests
Data subjects now have the right to make subject access requests (at no cost to them as a default position) and obtain information with regards to the data you hold about them. The maximum time to make this information available has been reduced from 40 days to ‘within one month’ (subject to some exceptions) therefore you need to consider whether there are any logistical issues in dealing with request more quickly and whether it is possible to put in a secure online system which allows subject to access their data themselves.
If you are looking at specific data processing projects which may carry a higher risk, it is worth considering a Data Protection Impact Assessment which is an integral part of a ‘privacy by design’ approach and can be used to identify and reduce the privacy risks within projects.
The GDPR introduces a duty on data controllers to report certain types of data breaches to the Information Commissioner’s Office, or the data subjects themselves. You will need to consider what processes you have in place for identifying, recording and responding to data breaches.
Data Protection Officer/Data Compliance Officer
Any organisation can appoint a Data Protection Officer (DPO), however certain organisations are mandatorily required by the GDPR to do so. Their role is to provide internal guidance and ensure that your organisation is compliant with the GDPR and various other responsibilities.
How Cripps Pemberton Greenish can help
Cripps Pemberton Greenish can provide on-going support to your Data Protection Officer or others in the organisation.
We can also:
Provide a Privacy Impact Assessments template and advise on their completion.
Advise on what due diligence or other practical measures may be necessary to reduce risk when entering into new agreements with third parties.
Provide policies, templates, and ad hoc advice on how to deal with data subject requests around access, deletion, rectification, portability and restriction.
If you are concerned about a breach, we can provide template notifications and guidance documents and help you assess the situation and deal with it.
We can advise on, or carry out, periodic checks of your data activities to ensure you maintain compliance.