25th May…. It’s the date we have all been working towards, some of us for many months. But what happens on 26th May, and the day after that?
Well, initially we all have a well-deserved rest over a bank holiday weekend, and then it’s business as usual from Tuesday 29th May. But what is ‘business as usual’?
For those who have not been able to complete their GDPR preparations prior to 25th May, you should have an action plan to take you through the following weeks and month on the journey to compliance with the principles of the GDPR and to demonstrate ongoing accountability.
But if you have completed your preparations it doesn’t mean that you don’t have any ongoing work to do. In order to demonstrate accountability, you will need to test your processes, test your staff and create an audit programme.
1. Test your processes
You have created a lovely shiny process to be followed if a data subject exercises one of their rights; but does it work? You may not receive a request straight away so why not run a workshop on the basis that you have received a request and work out the steps you need to follow to comply with the 30 day timescale – use the outcome to refine your process where necessary.
2. Test your staff
You have trained your staff but how much have they actually understood? Are your policies and procedures embedded? Test them. Send in a ‘dummy request’ and see what happens. Don’t forget to also test from a cyber security point of view – simulated phishing email tests are a useful exercise.
3. Create an audit programme
How will you demonstrate ongoing compliance? DPOs should consider regular spot checks, especially if your business has more than one site – are the team keeping paper that you think has been destroyed? Are visitor processes being followed – turn up unannounced and you will find out! Don’t forget that root cause analysis of complaints and data breaches will provide you with valuable insight on how well your GDPR programme has been embedded. Check your websites on a regular basis to make sure they haven’t reverted back to old versions of any of your policies. Monitor social media for mentions of your business, which can be an early indicator of a data breach.
4. Keep up to date
The draft Data Protection Bill had a provisional report stage on 9th May and as progress continues to be slow, it may not be enacted before 25th May. The E-Privacy Directive is also still stalled and could arrive at any time in the coming months so it’s definitely one to watch, and it’s always worth checking in with the ICO’s website to see updates on how they intend to enforce GDPR and what they will be looking at in the coming months.
Here at Teal we will of course keep you up to date through our blogs and our experts are always available to offer advice or even to come in and test your processes for you. Just drop us an email – firstname.lastname@example.org