At uCheck, we take data protection very seriously – that’s why we thought we’d share some tips to help your organisation stay compliant with the General Data Protection Regulation, or GDPR.
The GDPR caused something of a stir when it came into effect back in May 2018. But now that the dust has settled, organisations need to consider whether they’ve understood and implemented GDPR requirements to their full extent.
GDPR compliance is an ongoing responsibility
If you think the GDPR seems daunting, you’re not alone. A recent report by TrustArc found that only 20% of businesses believe they are GDPR compliant.
Even with the best intentions, it’s inevitable that some organisations may fall short of compliance. This could happen for a variety of reasons, including:
- Conflicting internal priorities
- Poorly defined areas of responsibility
To overcome these challenges, organisations should continually review their compliance arrangements and adopt a coordinated approach to data protection.
Assessing data protection compliance
When assessing the effectiveness of your organisation’s compliance arrangements, you may want to consider:
- Assigned responsibilities
- Documentation, including the recording of data processing activities
- Technical and organisational measures
- Data Protection Impact Assessments (DPIAs)
- Incident response processes
- Management of contracts and third-party processors
The Information Commissioner’s Office (ICO) has a useful data protection self-assessment toolkit with checklists to help you evaluate your arrangements.
The seven key principles of GDPR
The GDPR sets out seven key principles. These should guide your organisation’s approach to processing personal data.
Lawfulness, fairness and transparency
You must establish a lawful basis under GDPR for any data processing your organisation does.
When you process data, you should always do it in a way that is fair. Organisations are required to be open and honest about what data they’re collecting and processing, and how they’re doing it. This information must be accessible and easy to understand.
Organisations must also treat people fairly if they exercise their rights over their data.
You must only collect data for specified, explicit and legitimate purposes, and must not process it in a way that is incompatible with those purposes.
If you want to use data that you’ve collected in a new way, you must gain further consent from the people whose data you want to use.
Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which you’re processing it.
In other words, only collect the data that you need – and no more.
Data must be accurate, and where necessary, kept up to date.
Your organisation should take every reasonable step to achieve this. Inaccurate data should be erased or rectified without delay.
Data should be kept for no longer than is necessary to fulfil the purposes for which you’ve collected it.
Document your arrangements in your data retention policy, and remember that you must be able to justify the retention periods.
Longer retention periods are allowed for personal data if you’re only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
Integrity and confidentiality
This is the GDPR’s security principle. You must have appropriate technical or organisational measures in place to ensure appropriate security of the personal data.
This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. A thorough security risk assessment process will help here.
To increase resilience of our systems we have further strengthened our cloud-based server solution with Amazon Web Services. Our systems can scale up and down with demand whilst monitoring the efficiency of all aspects of our infrastructure.
Your organisation must take responsibility for what it does with people’s data, and how it complies with GDPR requirements.
You must be able to demonstrate your compliance through appropriate procedures and records.
For more information about the seven principles, refer to the ICO’s guide.
The DBS Code of Practice
All organisations have to comply with data protection laws, but those that receive or process DBS data must also follow specific rules about handling this DBS data.
The DBS Code of Practice is in place to ensure that criminal record information is used fairly and appropriately.
See our blog Why is confidentiality important for DBS data? for more information on the Code of Practice.
Data protection following Brexit
UK organisations will still need to comply with the requirements of the GDPR during, and after the transition period.
You can stay up to date on how BREXIT will impact data protection on the ICO’s website.
Keeping up with GDPR
The European Commission is required to publish a report on the evaluation and review of the GDPR by 25th May 2020.
The European Council has already published a draft position on the application of the GDPR, which forms part of the evaluation process. You can read the draft here.
Staying data protection positive
It’s important to remember that GDPR compliance is a learning process, and most organisations are on the same journey.
Rather than seeing it as something scary, compliance with data protection laws can be viewed as an opportunity for your organisation to show its commitment to protecting the rights of job applicants, employees and customers.
Good data protection can have many benefits for your organisation. It will increase employee and customer confidence, improve your organisation’s reputation and help save time and money.Back to Blogs
Our blogs are advisory in nature and reflect uCheck Limited’s current thinking about best and common practice in the subjects discussed.
The information contained in our blogs have been provided for information purposes only. This information does not constitute legal, professional, or commercial advice. Whilst every care has been taken to ensure that the content is up to date, useful and accurate, uCheck gives no guarantees, undertakings, or warranties in this regard, or, for any loss or damage caused arising directly or indirectly in connection with reliance on the use of such information.