It’s just over a year since the General Data Protection Regulation (GDPR) changed how we view, process and store data. The regulation caused many organisations, already over-stretched, to scramble to ensure they met the requirements set out within the legislation.
Whilst there have been many successful applications of the law, there are still key areas that are commonly missed, leaving gaps in compliance and businesses vulnerable.
Below are some highlights of general areas of non-compliance or bad practice we have come across, and how they can be alleviated with a solid Information Governance Framework.
Privacy by Design
Privacy by Design is one of the most important elements when it comes to understanding the risk to personal information. However, it is still a common area that is skipped over due to lack of training and awareness.
By taking a “privacy by design” approach to your systems and processes, you will ensure that the privacy of the data subject is at the forefront and not an afterthought.
At the earliest stage of a project, ensure that your Data Protection or Information Governance Officer are informed on what your intentions are; depending on the level of risk involved you may be required to complete a Data Protection Impact Assessment (DPIA). This process will flag any risk(s) and provide an opportunity to work on any mitigations that may help to lower the risk threshold.
An effective DPIA will ensure that all areas of Information Governance and Information Security have been scrutinised. Some areas to focus on include:
- The legal basis allowing the processing of personal information and the condition on which you rely on to process special category information in this particular way.
- The use of any third-party Data Processors and the controls in place to ensure both parties remain compliant.
- How you intend on communicating the processing with the data subjects.
This can sound complex, but in reality can be covered by a questionnaire and checklist. We have templates we can supply to help with this; working with an Information Governance specialist will ensure that not only does the project deliver on your key objectives, but that it’s also delivered in a way that adheres to the requirements of Data Protection law and Information Security best practice.
Information Governance doesn’t just apply to technology in the workplace
Whilst the bulk of most organisation’s information will sit within electronic systems, it’s important to remember that both the Data Protection Act 2018 and General Data Protection Regulation 2016 apply to any asset that contains personal information.
Due to the media coverage on cyber-attacks, many organisations have focussed purely on their IT systems, which can lead to gaps in compliance where physical information is being processed – so careful consideration is also necessary regarding physical records.
To ensure that all assets containing personal information are accounted for, an Information Asset Register (IAR) needs to be created and updated annually or whenever a new asset is introduced.
A good IAR will cover everything from your employee records to your client database. It should describe some of the following:
- The individual taking ownership of the information asset
- The volume of information within that asset
- The retention period of the asset
The National Archives provide an IAR starter template which can be found here.
Regardless of the information format, the importance of physical security is paramount.
- Shut doors behind you and if you believe you’re being tailgated, ask the person to show you their security pass
- Lock any storage facility containing personal information when it’s not in use
- Be mindful when leaving your desk unattended, lock your computer screen and lock away any personal information
- Remind your colleagues of the importance of data protection and report incidents using your incident management procedure.
Compliance with Data Protection law is an ongoing challenge
Complying with Data Protection law is a never-ending process and a common mistake is to believe that the work is over and that ‘GDPR has been done’. This kind of mindset can lead to complacency which can lead to vulnerabilities.
Always remember that data protection applies throughout the entire personal information life-cycle, which starts from the collection of personal information all the way to its destruction and everything in-between (including storage and archiving).
There are many ways of ensuring on-going compliance, and they can be achieved in some of the following ways:
- Ensuring that employees complete annual Data Protection and Information Security training.
- Reviewing policies on an annual basis, considering any changes in law and best practice.
- Holding regular process reviews – book a recurring 6-monthly slot in diaries!
- Regularly meeting with business stakeholders to discuss areas of weakness, how to make improvements and highlighting any incidents that have occurred.
Making Information Governance a regular topic of discussion will generate interest, keep people up to date and hopefully promote good practice within the organisation. This is also key to establish corporate buy in. Many of our customers use our Information Governance service on a part-time, recurring basis to help facilitate the review and continua improvement of their governance.
Mandatory Policies
Your policy suite should include some of the following policies as a minimum:
- Data Protection Policy
- Retention Policy
- Information Security Policy
- IT Acceptable Use Policy
- Physical Security Policy
We can supply vanilla templates for these policies that save you writing them from scratch, and many organisations have demonstrated that they can write informative, detailed policies. However, a common mistake is that they are rarely delivered to staff appropriately.
Data Protection legislation makes it very clear that those processing personal information need to prove accountability, so simply uploading a new version of your policy suite to the staff intranet would only prove that the policies were created.
Organisations will need to evidence that these policies have been read and understood by employees. This can prove to be a challenge depending on your budget or the systems you have in place, but as a minimum staff should confirm back that they have read and understood the document – they should form the cornerstone of any induction / new joiner checklist.
Consider the approach to policy design and what you believe your staff will be susceptible to. Finding a good balance between detail and overkill can be a challenge.
We can help you manage your GDPR compliance as well as improve or audit your existing information governance practices; for more information please click HERE
Author; Ricci Wilding | Information Governance and Security Officer, Smartdesc Ltd
