It’s been over 100 days (yes, really) since the dreaded GDPR deadline and businesses are increasingly being held to account for how they manage personal data. Customers are increasingly starting to take notice of their rights in managing and protecting their own personal data too. GDPR is here to stay, so being able to deal with the impact makes good business sense.
In particular you need to be prepared if your potential customers ask you to respond to RFPs or take part in other tender processes. You will likely start to see an increase in the questions relating to how you manage personal data and keep it secure, what activities and training you have undertaken to be GDPR compliant and how can you demonstrate this.
Relying on having carried out a review of your customer mailing list and recently updating your privacy notice is simply not enough. To understand the scrutiny you could face, here are some questions we have seen in recent procurement exercises:
- Provide details of the exact technical and organisational measures which ensure your compliance with GDPR for all personal data that you hold.
- Are all your staff fully trained in GDPR and other relevant data protection legislation? Please provide evidence of training content and attendance.
- Provide details of the appropriate measures your organisation has implemented to secure its systems and data against internal and external threats and risks; and the process you take to continuously review and revise those measures to address ongoing threats and risks.
In order to provide evidence and details of the measures taken to ensure compliance, an organisation will have needed to go through a series of activities that will include:
- Identifying a person responsible for data protection
- Mapping all the types of personal data your organisation collects and uses
- Identifying who accesses that information inside and outside of the organisation and ensuring systems and data are secure
- Assessing how long information is legitimately held for
- Determining the lawful basis for processing that data and the impacts of data loss
This is just the start, it is important to undertake a risk assessment to understand how data is stored and how it is kept secure and ensure you have the right physical and IT protection in place. With this information in hand, an organisation will be able to consider what policies they need to have in place or develop and what processes should be put in place to deal with issues such as data breaches and data requests from those whose information they may process. You will also need to train your staff to ensure they understand their responsibility to help you protect personal data.
If an organisation has worked through these stages, acted to improve security and compliance and documented this activity and training they will then have not only taken the necessary compliance steps but will be able to evidence this too when faced with such questions.
It is business critical for larger organisations to be GDPR compliant and this is filtering through their supply chain. So now whilst there is a perceived period of grace, it’s a good time to finish the process you may have started. Besides, demonstrating your compliance can position your brand as industry leading, help you stay ahead of competitors and will certainly help protect your business from the threat and risks of data loss or theft.
How we can help
If you’ve got all this covered then pat yourself on the back as it sounds like you’re on your way to being GDPR compliant. If not or if you have any questions send us an email today and we’ll happily discuss your needs in more detail.
You may want to consider using an online support tool like Astrid – specifically if you are just starting your compliance journey or if you have taken some steps but have not yet completed the process or need a good way to document what steps you’ve taken. Developed with SMEs in mind, the secure platform shows you what you need to do, and gives you the tools and information you need to improve your data protection, and become and remain compliant with the GDPR. This includes a secure portal in which to hold your data protection evidence and a training module enabling you to train, and evidence training of, staff. On completion of the compliance process, Astrid awards a certificate, giving you evidence to demonstrate your commitment to compliance to your employees, customers and other contacts. If you want to discuss this tool or any of your GDPR requirements again please get in touch.