How can you demonstrate GDPR compliance?
Corporate and commercial solicitor at Kirwans law firm, James Pressley, tells IT Pro there are a few different forms of proof organisations can offer the ICO. These must all demonstrate:
– Internal policies and procedures that comply with the GDPR’s requirements
– The implementation of the policies and processes into the organisation’s activities
– Effective internal compliance measures
– External controls
“All of these would not only need to be documented (for example, policies), but there would need to be a record kept of how they were being carried out in practice to demonstrate compliance,” Pressley explains.
In addition, data controllers (the company ultimately using rather than simply processing personal data) must be able to show they have established a data protection compliance programme and privacy governance structure, as well as ongoing privacy controls.
Controllers must also embed privacy measures into corporate policies and everyday activities that concern personal data.
Not only must they document their privacy measures and keep records of compliance, but they must train employees on privacy and data protection matters and test their privacy measures, using the results to improve their policies.
How will the ICO measure compliance?
The ICO – and any other EU member state data protection authority – would consider whether your organisation is compliant with the points above, though it’s probably wise to hire a legal specialist to guide you through the specifics to ensure you understand them fully.
Davis explains: “The GDPR is holistic: you have to comply with all aspects of the GDPR.”
While there may be some debate as to whether a data protection policy is adequate, Pressley adds: “Past experience would suggest that the ICO requires full compliance with legislation and is unlikely to accept poor documentation or implementation.”
Both lawyers make the point that when it comes to audits, firms suffering security breaches will be the ICO’s first port of call.
” In practice [the ICO will measure compliance] by (a) becoming aware of organisations suffering from public breaches and (b) auditing organisations – especially those falling into the former category,” Davis says.
Pressley agrees, stating: “There will be a lot of non-compliance, which will be obvious. There will be some major problems such as security breaches, in which case the organisation’s policies and practices will be examined closely.”
Are any GDPR certification schemes worth the money?
In short, no – certainly not if you enter them for the purpose of gaining a certificate demonstrating compliance. As we discovered above, there are currently no bodies empowered to audit and certify GDPR compliance.
Those that do exist may say their certification is valid for GDPR, but in fact, they’re often based on the National Cyber Security Centre’s Cyber Secure standard, Pressley says. That means organisations who undertake their courses may still be found non-compliant by the ICO.
However, Pressley also says that the ICO intends to approve accredited UK bodies that can offer proper certification by spring 2018, just ahead of GDPR coming into force.
But Davis adds that existing schemes, if using the GDPR legislation as their basis, may have some value: “The more any organisation does to comply the better. Obtaining any form of external certification implies that [an] external organisation is going to check where the target organisation is not doing enough, thus enabling the target organisation to become more compliant.”