What does compliance look like?
The model for compliance with the UK GDPR can vary with the type of organisation, the nature of the personal data you process, and other factors. However, in general terms compliance can be though of as consisting of the following elements:
Policies – documents which confirm your organisations approach to data protection. Typical policies will include a data protection policy, and IT security policy, a retention policy, a data breach policy and a policy regarding the rights of data subjects.
Procedures – most policies identified the organisations approach to data protection, procedures explain the consistent behaviours required of staff, volunteers, and other stakeholders. There will generally be at least one procedure for each policy. The procedures should be designed to be clear and easily understood, and often include the use of checklists.
Training – if people are to be held account for consistently following the procedures, then training needs to be offered. Training will normally be of two types:
- Induction training – this is training given when a person takes up a new role, either when they are first engaged by the organisation or when roles change.
- Ongoing training – this is training given on an ongoing basis (often annually or in response to a particular set of circumstances) which serves as a reminder of the induction training. this can also be used when regulations and best practise change, in parallel with changes to the induction training material.
Appropriate (IT) systems – policies, procedures and training all need to be underpinned by appropriate systems which will help in the processing of personal data. Almost certainly, these appropriate systems will be it based and will vary from comprehensive CRM solutions, through two simple spreadsheets and other control documents. appropriate systems can significantly minimise the data protection risks, provided they work in conjunction with policies, procedures and training.
Review – all of these elements need to undergo regular review, either driven by a time period (often annually) or in response to changes in the external environment, regulations and best practice, your organisations business process is, all other circumstances. Many organisations make the mistake of thinking that compliance with the UK GDPR is a one off exercise, whereas it is an ongoing project.