A Starter Guide for Everyone

The Road to Data Protection Compliance

The Road to Data Protection Compliance can be tricky to navigate, especially when it comes to ensuring compliance. In my role as an account manager, I’ve noticed varying levels of understanding among customers regarding the measures required for compliance and their current organisational situation.

So, what does it take to work towards compliance? It is worth stating that no organisation is ever fully compliant as the data protection landscape is everchanging. Nonetheless, if starting from scratch, this process might feel overwhelming. However, at DPP, we guide customers through the steps to gain and maintain control over their organisation’s personal data. We aim to help organisations work towards compliance with the law and best practices in the most streamlined way possible. That’s why our mantra is Data Protection Made Easy and why organisations come to us.

To demystify what’s involved, below I’ve outlined key focus areas imperative to your data protection compliance. DPP can guide you on all these areas so feel free to contact us for support.

*Please note that the highlighted measures and risks are not exhaustive*

Key Focus Areas for Data Protection Compliance

ICO Registration/DPO

What is it?

If you haven’t already done so, the initial step is to assess whether your organization is registered with the ICO. Most organisations that handle personal data are obligated to register, with certain exceptions. This requirement can be verified on the ICO’s website.

Additionally, you must determine whether the legal criteria for appointing a Data Protection Officer (DPO) is met. The DPO must fulfil the responsibilities outlined in the UK GDPR. In cases where a DPO isn’t mandated by law, appointing a data protection lead, whether an individual or a team, is advisable to oversee and ensure compliance with data protection regulations within the organisation.

Non-compliance risks

• Increased vulnerability to legal actions
• Lack of expertise and guidance
• Increased risk of data breaches
• Poor handling of data subject rights
• Negative impact on reputation
• Difficulty demonstrating compliance.

Information Governance Framework (IGF)

What is it?

This is your organisation’s handbook on how it’s committed to compliance.

It includes a data protection policy (the “what you will do to ensure individuals’ information is protected”) and corresponding procedures (the “how you will do what you say you will do”), like individual rights and breach procedures. As a corporate document recognised by your Board, a policy sets the boundaries for what is acceptable or tolerated and what isn’t.

Non-compliance risks

• Failure to meet the accountability principle of the UK GDPR – may lead to regulatory fines.
• No centralised approach to handling personal data.
• Increased chance of data breaches.
• Reputational damage/loss of trust.

*DPP has an Information Governance Framework which we can help customers implement*

Record of Processing Activities (RoPA)

What is it?

A RoPA is a crucial document for recording and managing personal data, and ensuring it is used lawfully. It includes details such as the reason for use, recipients of the data, storage details, and security measures.

It is a big task to compile a RoPA as it requires involvement from nearly every department in most cases. But once it is done, it is the most useful document to refer to for mapping out a business’s processes and illustrating UK GDPR compliance measures. It provides a composite from which you can link or hang many of your other evidence off i.e., lawful reasons, retention periods, etc.

Non-compliance risks

• Failure to meet Article 30 of the UK GDPR (this Article sets out the requirement for a RoPA).
• Failure to meet the accountability principle of the UK GDPR.
• Difficulty responding to regulatory inquiries (this is one of the first documents the ICO would request in an investigation).
• Lack of oversight on data processing.

*DPP can help you build an effective RoPA*

Privacy Notices and Cookies

What is it?

Privacy notices explain how information is collected, used, disclosed, and managed, promoting transparency and informing individuals about their privacy rights. This is the one area that every data subject is encouraged to access and can support and clarify a significant range of queries in advance if it is done right.

Cookies are small text files that collect your information as you browse websites. While some are essential, others require consent. It’s important to have a cookie policy on your website and an appropriate consent mechanism, such as a banner, which complies with the requirements for obtaining valid consent.

Non-compliance risks

• Failure to meet the transparent principle of the GDPR.
• Individual complaints and litigation.

Failure to fulfil rights available to individuals.

*DPP can help you create sufficient privacy notices and advise on cookie compliance*

Third Parties

What is it?

Third parties are external organisations that have access to your organisation’s personal data. If the third party only acts under your instructions, then they will be known as a processor for that shared data (e.g. a software provider or a contractor). If they take that information and make their own decisions about how to use it, then they will be a controller (e.g. the police or an insurance company).

When sharing data with processors you need to undertake data protection due diligence as it is a data controller’s responsibility to ensure the shared data will remain safe. If satisfied, then you should enter a ‘data processing agreement’ contractually binding both parties to protect the data.

When sharing data with controllers, measures should be in place to ensure the secure sharing of data. This may include a data sharing agreement which lays out the arrangements and responsibilities of each party.

There are added responsibilities when engaging in international data sharing, and these obligations are dependent upon the specific country to which the data is being transferred.

Early engagement with managers and procurement partners at contract discussion phase can raise questions and identify the need for data sharing agreements, international data transfer arrangements, clarify controller to controller relationships, etc. that can reduce workload and offer breathing space before a contract is entered into.

Non-compliance risks

• Legal and regulatory non-compliance with Article 28 of the UK GDPR.
• Supply chain vulnerabilities.
• Ineffective breach response.
• Ineffective rights handling.
• Potential loss of data if sharing internationally without appropriate safeguards.

*DPP can undertake supplier audits including undertaking due diligence on all processors and review agreements to ensure they are sufficient. We can also review international transfer arrangements*

Individual Rights

What is it?

Under the UK GDPR, individuals have specific rights concerning their personal data. These rights include, but are not limited to, the ability to request a copy of their information, ask for the deletion of their data, and seek corrections to inaccuracies in their data.

It is the organisation’s responsibility to ensure that its staff can identify a rights request and have effective measures in place to fulfil them within the one-month period.  You need to have a log of requests received and a procedure of how to handle requests which will be in your IGF.

A sound Privacy Notice can support dialogue with requesting individuals.

Non-compliance risks

• Failure to fulfil people’s legal rights.
• Failure to comply with Chapter 3 of the GDPR.
• High chance of individual complaints and litigation.
• Adverse impact on customer relationships.

*DPP can manage subject access requests, offer training, and provide guidance on recognising and handling such requests*

Data Protection Impact Assessment (DPIAs)

What is it?

DPIAs are risk assessments examining a business activity involving people’s information. They assess the risks posed to individuals by using their information and mitigate these risks. Certain activities legally require a DPIA, while others, considered riskier (e.g., changing database), are best practice.

Risks may uncover individual concerns, failure to acknowledge a specific part of the law, organisational financial or reputation risks, etc.

You should have a procedure for determining when a DPIA is required and how to complete one. Documenting a DPIA late in the procurement, deployment, or business change process may create unnecessary surprises and anxiety.

 Non-compliance risks

• Failure to comply with Article 35 of the UK GDPR and potentially other areas of the law.
• Operational disruptions.
• Missed opportunities for risk mitigation.
• Regulatory actions and fines.

*DPP provides training on DPIAs and assistance in writing and reviewing them*

Training

What is it?

All employees should undergo data protection training at least annually to foster and uphold a culture of data protection throughout the organisation. General data protection training is essential for all staff, with more specialised training provided to those who need it (e.g., rights requests training for staff handling such requests or board-level training emphasising the importance of data protection at that level).

Training should include relevant legal requirements and raise awareness of organisational measures staff are expected to follow. Remember, although they struggle with some of the terminology, many teams will process the same personal data but in different ways depending on their focus, so offer bespoke sessions to test how well they understand their role in processing and safeguarding personal data and recognise their value.

Non-compliance risks

• Failure to comply with data protection laws due to a lack of understanding.
• Data breaches and security incidents with ineffective incident response.
• Absence of a data protection culture.
• Challenges in implementing policies and procedures.
• Limited awareness and handling of individual rights.

*DPP offers a range of training services at all levels*

Security

What is it?

Security is a fundamental principle of the UK GDPR, requiring organisations to implement suitable measures to protect people’s data. This includes physical measures like locked cabinets, technical measures like multi-factor authentication, and organisational measures like policies and procedures. In today’s digital age, it is crucial that data security measures match the level of risk posed to people’s information.  You need to be able to show that you have implemented security measures appropriate to the risks and that these measures are kept under review.

Non-compliance risks

• Data breaches.
• Reputational damage.
• Failure to comply with the law.
• Risks to affected people (this even includes risk of physical harm).

*DPP have a suite of security services, including consulting, ISO 27001 support, Cyber Essentials+ and PCI DSS*

Audits

What is it?

Every organisation should conduct annual audits of their data protection practices, policies, procedures, and technical measures to ensure compliance with applicable data protection laws. Audits identify potential risks of non-compliance, assess the effectiveness of data protection measures in place, and ensure lawful and secure handling of personal data.

Data protection audits demonstrate accountability, identify areas for improvement, and proactively address risks. It is advised to engage an independent auditor to ensure an impartial and objective assessment.

Non-compliance risks

• Lack of accountability.
• Lack of understanding of organisation’s compliance stance.
• Increased risk of non-compliance.
• Increased chance of breaches and security incidents.
• Increased regulatory scrutiny in an investigation.

*DPP provides a suite of audit services, including a gap analysis, full compliance audit, PECR audit, and bespoke audits*

Responsibilities

In conclusion, safeguarding personal data is a collective responsibility within the organisation, necessitating ongoing training and awareness initiatives. By establishing clear objectives tailored to individual job roles and involving all staff in relevant data protection projects, we ensure a proactive approach to compliance.

Given the intricate nature of data protection, we understand the challenges you may face. Should you require any assistance or guidance in navigating these complexities, please feel free to reach out to us. We’re here to alleviate any pressures and support your efforts toward maintaining robust data protection practices.