5 ways to boost your data compliance
Pondering how to improve your privacy credentials? Here are my 5 steps to inspire you. More than two years on from GDPR being enforced, remember it’s a journey, not a sprint.
1. Get a grip on data governance
Do you have a framework in place which helps you to protect the personal data you hold?
A good framework needs clear roles and responsibilities. If you’ve not set up a governance group yet, now’s the time. Agree who is responsible and accountable for different data activities across your business. This can really help to make sure data owners are engaged and clear about their responsibilities. It helps stop data risks falling through the gaps.
Putting data governance practices in place is an important foundation step to improving your risk posture and demonstrating compliance with GDPR’s accountability principle.
2. Be ‘risk ready’
Can you quickly identify and assess data risks across your business?
You should have set up your policy and processes for Data Protection Impact Assessments (DPIAs), which are need whenever there could be high risks to individuals.
Is it time to provide DPIA training for your teams? Training will help them to spot situations which could lead to high risks, so they can raise a hand whenever a DPIA might be required. DPIAs are a great way to highlight potential risks and address them before they are realised.
By the way, the ICO has recently highlighted that many businesses conducting online advertising may have missed that they should have conducted a DPIA. (Listen to our expert panel discuss, DPIAs – What? When? How? Who? Why?)
3. Spruce up your suppliers
Most businesses outsource a range of tasks to external suppliers. This may involve limited amounts of personal data or could be more complex. It’s good to ensure you have a full grasp on all your suppliers who process personal data and a way for assessing the data risks the supply chain poses for you.
Being accountable for your suppliers (‘processors’) is about much more than simply making sure the right data protection clauses are included within contracts.
Make sure you ask the right questions to check suppliers are not taking undue risks with your data. Be satisfied they have the right measures and controls in place.
4. Refresher workshops for your teams
Your staff can be your greatest asset or your greatest risk.
It’s always worth taking time out with each of the teams which handle personal data (such as HR, finance, marketing, and so on). Talk to them about their work and help them work out if their current privacy and security measures are up to scratch.
When done well, you’ll find people really get engaged and you’ll soon identify advocates in each team who can help you move forward with privacy and information security.
5. Control your cookies!
Many businesses are still working out how to comply with the ICO’s updated 2019 guidance on cookies and similar technologies. This highlighted the need for more transparency and a requirement for informed consent for all but ‘strictly necessary’ cookies.
So as a starter, make sure you know what cookies you use and what they’re used for. If you haven’t done one already, a cookie audit is a great place to start. You might find there’s more going on with cookies than you thought! (Also see: Seven step ad tech guide from the DMA and ISBA)
Simon Blanchard, June 2020
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.