The GDPR has set fairly broad goals and requirements for businesses and organisations, making it quite hard to know exactly what they have to do to become, and remain, compliant, and whose job it is. Until the rules become more prescriptive, it falls on each business or organisation to work out what will be an acceptable effort towards becoming compliant with the regulation.
As for whose job it is, experts say the responsibility and accountability lies with every member of a company, from the board of directors down. That said, someone needs to drive the process and to see that the rest of the team receives training in GDPR best practices. But that’s a topic for another post.
Meeting requirements
Imagine you own a small to mid-sized business, have read up online about the GDPR and signed up for news feeds about it. You’ve also worked out what you need to do to refine your particular information systems so that you meet GDPR compliance requirements in terms of how you collect, use, store and possibly share personal data.
You haven’t used compliance software but you know the proof of your compliance efforts are there somewhere between your laptop, a colleague’s laptop, a few flash drives and the cloud.
Showing compliance
What would you do if the authorities asked to see your compliance efforts? Would you be able to produce an understandable data map of where and how personal information flows through your business? Will your privacy notice 100% up to date? How long would it take for you to generate a status report on your GDPR compliance?
For many businesses, being able to prove GDPR compliance would be a matter of stopping ops and pulling it all together – in a panic. The regulation is a reality and isn’t going away, so it’s probably wise to get your business to a point where you can produce a data map in a day, have a system to ensure that your privacy notice is always current, and that you can generate a status report within a couple of days.
With a Compliance software
It would be easier if you used compliance software. For a monthly fee of between €50 per month (up to 9 employees) and €100 per month (up to 50 employees) you would have all your compliance efforts available within a few hours. These are the kinds of things you’d be able to show straight away:
- A current report on your GDPR compliance status
This can be generated in one-click and shows your compliance readiness to date.
- An up-to-date privacy notice
When you make changes to your privacy notice it’s automatically updated and republished to your website, keeping you in line with GDPR governance requirements.
- The status of all subject access requests
The software keeps a record of when the SAR was submitted, when the request was actioned and what the status of the request is.
- An outline of personal information processing that occurs in your business
The software contains a data mapping tool that enables you to show where and how personal information flows through your business.
- All relevant documentation indicating steps you’ve taken towards compliance
Every step of your compliance journey taken with the software is recorded so that you can produce an electronic paper trail at any time.
- The status of data breach incidents
The software enables you to manage data breaches, from assessing and documenting to reporting them within the stipulated 72 hours of becoming aware.
- The status of each employee’s training in GDPR best practices
The training programme within the software logs each employee’s progress.
Another advantage of being able to clearly show your compliance efforts is that if your business suffers a data breach it won’t be liable for a hefty fine that non-compliance will attract.