GDPR Regular Review Tasks; the bit everyone forgets!
It is all too easy to consider compliance with the GDPR as a “one off” project that will complete and then be “done”.
Whilst the establishment of the initial baseline of compliance can be treated as a project (and generally was when the regulation was introduced), the compliance position must be maintained to ensure that it remains current.
Whilst the GDPR is clear that compliance must be maintained, the regulation is not prescriptive about timescales for reviewing the key documentation and business processes that form your compliance framework. Instead the regulation refers to regular reviews, leaving it up the the organisation to decide what is appropriate.
In practical terms you need to decide how regular a review process should be adequate for these activities in the context of your organisation. As with so much of the focus of the regulation, the best way to look at this will be to consider what risks are posed to individuals; the higher the risks, the more likely a regular review will be required. Other factors, such as the pace of technological change (including the pace of technological change of criminals who may want to access the data) will also be a relevant factor.
You should ensure that appropriate processes and procedures are in the place to ensure that these reviews taken place. This doesn’t have to be complicated, perhaps a recurring meeting would suffice.
Elements that need regular reviews
As a minimum, the following elements of your GDPR compliance need regular reviews. We won’t go into detail about what you need to do to maintain them as it would just duplicate the areas we’ve covered earlier.
- Review your processing records
- Review the information in your data asset register if you have one
- Check your privacy notices to make sure that they still accurately represent the processing that takes place
- Check the GDPR principles remain embedded in the processing that takes place across your business
- Monitor the performance of the Data Protection Impact Assessment process
- Review and update any Data Protection Impact Assessments (DPIA) to ensure that the relevant requirements of the GDPR are being complied with and any steps intended to reduce risks to individuals have been implemented
- Check any contracts you have in place remain relevant
- Review training materials to ensure they remain relevant
- Actively test any business continuity arrangements that you have in place. For example, do your backups work? Can that system be restored?
- Test your security measures to ensure they remain appropriate and up to date. Have you tried penetration testing to see if your organisation can be breached by a third party?
- Consider testing your breach response plan; as a minimum you should review it.
In line with the accountability principle, you should keep a record that the regular reviews have been carried out so that you can show how you have attempted to maintain your compliance.
Monitoring Review Tasks
In addition to the regular reviews of your key compliance artefacts, it is recommended that certain elements of compliance are monitored to ensure that corrective action can be taken in the event that compliance areas begin to lapse.
The frequency and scope of monitoring your business processes should be specific organisation’s specific requirements and the risks present in the data processing.
You should consider whether you should monitor your compliance in the following areas;
- Staff knowledge about data protection and training levels in relation to GDPR specifics.
- You should review breach levels and reports to make sure you learn from trends or specific lessons.
- You should monitor the effectiveness of your organisational and technical controls, such as system access controls. For example, are people who have left your organisation removed from access lists?
- You should keep an eye on the number of complaints relating to data protection issues, these can be an important indicator that something is going wrong and could become a serious issue should those complaints be referred to the ICO.
- You will also need to understand how many requests your are getting from data subjects in relation to their enhanced rights. Receiving many requests may be a pointer that you are doing something that people find unexpected. If you are turning away a lot of unfounded requests, this may point to a communication issue that you may be able to resolve.
- You should make sure that you are managing the performance of Data Processors working on your behalf through regular reporting and, where appropriate, account management reviews.
- If your IT systems and networks are sufficiently complex, you may want to install network and system monitoring tools to act as early warning systems for security issues.
- Finally, you should monitor general standards of good industry practice on an ongoing basis as these can help you to remain within expectations. It can also be helpful to understand where similar organisations have gone wrong too, as this can help you to pre-empt similar problems. Joining an industry support forum can be a useful way of meeting people from similar organisations and finding out about challenges they face and useful processes they have adopted.
Once again, in line with the accountability principle, you should keep a record of the monitoring you carry out as it is evidence of controls that you have to support your data protection activities.
I’ll leave you now with one “call to action”; spend a moment thinking about the kinds of things you, or your organisation, may need to do on a regular basis and take action to embed the review points over the coming year. As always with data protection, avoiding the question is a recipe for disaster!
Please remember that data protection matters can be very complex and it’s impossible to provide legal advice in a Medium article; if any of the ideas and issues discussed here apply to you or your organisation, you should seek qualified legal advice.