Why documentation is critical to GDPR compliance

Posted March 06th, 2018 by Paul Sandford

Documented policies and procedures for EU GDPR complianceIn our recent blog series Getting to grips with the EU GDPR, we addressed a number of questions regarding how to prepare for the General Data Protection Regulation (GDPR). Among these were accountability, consent, and the importance of deploying a Data Protection Officer. In our latest blog, our Senior Security Consultant Nigel Peers draws on his experience in the field to highlight the importance of documentation to ensure GDPR readiness.

In the run up to the implementation of the GDPR, we’ve been helping numerous organisations ensure they are compliant with the legislation before the May deadline. Part of this process has involved conducting numerous Organisational Readiness Assessments in a variety of different sectors, most notably within education. During this process we identified many issues that are continuing to hold organisations back from compliance and placing them at risk of large fines. The most common issue by far is inadequate documentation.

The importance of GDPR documentation

The new GDPR contains requirements to ensure internal records are continuously maintained, including the documentation of processing activities. The records that must be kept up-to-date include processing purposes, data sharing, and retention. According to the Information Commissioner’s Office (ICO), documenting this information is linked to the principle of accountability and will help all organisations, both commercial and educational, demonstrate compliance with the GDPR . This is a new requirement under the legislation.

But it seems many aren’t aware of this obligation. The general feedback from all industries regarding their current data protection activities is: ‘Yes, the procedures are in place, but we haven’t written these down within our policies.’ This is a critical mistake; especially when the hard work in carrying out those data protection tasks has already taken place. It highlights inadequate knowledge of privacy policy and privacy notice requirements, and proves increased awareness is required to take organisations from the cusp of compliance to being GDPR ready.

Why staff training is important

We also noticed an overall lack of staff awareness regarding the new GDPR, and little understanding of how their day-to-day activities can impact whether their employers remain compliant. A company or school’s employees are its first line of defence, so ensuring they have had the training to identify a malicious email that could lead to a data breach is crucial. GDPR compliance can only be achieved when everybody plays their part.

Conducting an Organisational Readiness Assessment is the first step towards achieving compliance. This comprehensive assessment covers all requirements of the EU GDPR and provides a clear and actionable journey to compliance. Are you on track to GDPR readiness?


Leave a Reply

Your email address will not be published. Required fields are marked *