There are now just over nine months until the day on which GDPR applies to all organizations across the EU – including the UK. The fact is that on 25 May 2018 there will still be a number of grey areas in the legislation does not reduce the obligation on EU entities processing personal data, or non-EU entities providing services into the EU, to be in compliance with the regulation.
But what does ‘compliance’ really mean? How does an organization prove it is compliant?At this point, there is no compliance certification mechanism. I struggle to imagine how there could ever be an effective compliance certification in relation to a law whose ultimate interpretation is decided in law courts.
There can, however, be evidence of ‘best efforts’ to meet the obligations. What might those best efforts look like? In simple terms, I think there are two aspects: the first is that personal data is actually protected against breaches, and the second is that it is easy for data subjects to exercise all their rights in relation to their data.
An effective ISMS – one which considers risks to the rights and freedoms of data subjects as well as to the reputation and performance of the data controller or processor – is the starting point for effective data protection. Cyber Essentials, ISO 27001 certification, regular penetration testing, data encryption, staff training and awareness, and robust incident response processes are all essential components of an effective ISMS.
Clear privacy notices, carefully thought-through mechanisms for facilitating the exercise of data subjects’ rights and a robust and agile data subject access process are key elements of an effective personal information management system (or PIMS). A PIMS is driven by a data protection policy and should include all the processing records and evidence of compliance with the six data protection principles that will enable you to demonstrate that you have indeed put your best foot forward to meet your compliance obligations.
Of course, effective data protection and robust subject rights’ processes are likely to make significant contributions to helping you avoid ever having to report a data breach to the ICO or, indeed, to having to respond to a legal action from a data subject. In a sense, avoiding those two outcomes will be a substantial demonstration that you have met – and are continuing to meet – your GDPR compliance obligations.
More about Alan Calder
Alan is the founder and executive chairman of IT Governance. He is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. Alan wrote the definitive compliance guide, IT Governance: An International Guide to Data Security and ISO27001/ISO27002 5th edition (co-written with Steve Watkins), which is the basis for the UK Open University’s postgraduate course on information security. This work draws on his experience of leading the world’s first successful implementation of BS7799 (now ISO27001).
Other books written by Alan include: The Case for ISO27001, ISO27001 – Nine Steps to Success, Risk Assessment for Asset Owners, IT Governance: Guidelines for Directors, IT Governance: A Practitioner’s Handbook and IT Regulatory Compliance in the UK.
Alan is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.