A finger pointing at the word evaluation surrounded by arrows arranged in a circle.

GDPR Regular Review Tasks; the bit everyone forgets!

Your organisation is GDPR compliant, but how do you stay that way?

Elements that need regular reviews

  • Review your processing records
  • Review the information in your data asset register if you have one
  • Check your privacy notices to make sure that they still accurately represent the processing that takes place
  • Check the GDPR principles remain embedded in the processing that takes place across your business
  • Monitor the performance of the Data Protection Impact Assessment process
  • Review and update any Data Protection Impact Assessments (DPIA) to ensure that the relevant requirements of the GDPR are being complied with and any steps intended to reduce risks to individuals have been implemented
  • Check any contracts you have in place remain relevant
  • Review training materials to ensure they remain relevant
  • Actively test any business continuity arrangements that you have in place. For example, do your backups work? Can that system be restored?
  • Test your security measures to ensure they remain appropriate and up to date. Have you tried penetration testing to see if your organisation can be breached by a third party?
  • Consider testing your breach response plan; as a minimum you should review it.

Monitoring Review Tasks

  • Staff knowledge about data protection and training levels in relation to GDPR specifics.
  • You should review breach levels and reports to make sure you learn from trends or specific lessons.
  • You should monitor the effectiveness of your organisational and technical controls, such as system access controls. For example, are people who have left your organisation removed from access lists?
  • You should keep an eye on the number of complaints relating to data protection issues, these can be an important indicator that something is going wrong and could become a serious issue should those complaints be referred to the ICO.
  • You will also need to understand how many requests your are getting from data subjects in relation to their enhanced rights. Receiving many requests may be a pointer that you are doing something that people find unexpected. If you are turning away a lot of unfounded requests, this may point to a communication issue that you may be able to resolve.
  • You should make sure that you are managing the performance of Data Processors working on your behalf through regular reporting and, where appropriate, account management reviews.
  • If your IT systems and networks are sufficiently complex, you may want to install network and system monitoring tools to act as early warning systems for security issues.
  • Finally, you should monitor general standards of good industry practice on an ongoing basis as these can help you to remain within expectations. It can also be helpful to understand where similar organisations have gone wrong too, as this can help you to pre-empt similar problems. Joining an industry support forum can be a useful way of meeting people from similar organisations and finding out about challenges they face and useful processes they have adopted.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chris Stevenson

I’m interested in lots of things and write about them. History, nature, environment, business topics, experimental stories and anything else I fancy.