If you don’t know exactly what you do with people’s data then any data protection compliance efforts you make as an organisation will be next to worthless. You need to know what personal information you collect, what you do with it, where you keep it, what permissions you have in relation to it, who you share it with, how long you keep it and what you do with it when you no longer need it.
Unless you clearly know the answers to these questions and are sure that you have told individuals these things then your data protection compliance is built on sand.
How you really work out what you do with people’s data
This is not a job for one person, or one department. This is a job for a team. Each area of your business will touch personal data in a different way which is not visible to other areas of your business. For example, you might think that your entire business is keeping data on your intranet. However, unless you ask everyone in your organisation, you may not find out that your marketing team is also keeping that information on a free SAAS platform. Unless you know this, you can’t take steps to make sure that all the personal data you hold is safe.
How you really demonstrate you know what you do with people’s data
You need to keep records. This is not just good practice but a legal requirement. You need to accurately collect the information to enable you to populate those records. You need to ask questions. You need to draw diagrams of where the data comes in, where it goes, and where it is kept. And then you need to take this accurate record and make sure it is reflected in what you tell individuals about how you process their personal data.
How you really need to keep things up to date
You need to make sure that your records are accurate and up to date. You can only do this if you move away from thinking of data protection compliance as a project. It is about building and maintaining a culture of continuous compliance. It is not a one off, tick-box project. You need a team and a structure in place to make sure that at any moment in time you know what you do with people’s data and have told them what you do with it.
A really easy way to demonstrate your compliance
It is easy to get bogged down with data protection compliance. Some of it is tricky. However, most of it is easy if you are told what to do, how to do it and given the tools to make it happen. What would be ideal would be to run your data protection compliance from one place. Even better if that place also enabled you to demonstrate your compliance easily and securely (satisfying one of the most important principles of the GDPR, namely, ‘Accountability’.
If that sounds like a good idea, you may want to take a look at The Privacy Compliance Hub which is one easy to use platform which enables you to own your compliance.
This article is part of an eight part series. Feel free to check out the others:
GDPR : Are you sure you’re fine?
- Are you sure your staff know why the GDPR is important to the success of your organisation?
- Are you sure you know what you do with people’s data?
- Are you sure you tell people what you do with their data?
- Are you sure you trust organisations that you are sharing data with?
- Are you sure that nobody will complain?
- Are you sure you’re secure?
- Are you sure you know which countries keep data safe?
- Are you sure you build products and services with privacy in mind?