What’s the best way to demonstrate GDPR compliance?
While there’s no way as yet to gain an official GDPR certification, it’s still important that you are able to demonstrate compliance if you need to. That means developing policies and procedures for handing confidential data, including disposing of documents that are no longer needed.
We’re just a few months away from the end of May, when GDPR will come into force. Once that happens, your firm could face significant fines if it’s found to be handling confidential data in the wrong way, or failing to get rid of it when it’s no longer needed.
There’s no shortage of training courses and other programmes that offer to help you prepare for GDPR. But it’s important to remember that none of them are ‘official’, in the sense of giving you a formal certification that proves you are GDPR compliant. For the moment at least, there’s no equivalent of PRINCE2 or ISO9000 for GDPR – no way to demonstrate your compliance definitively and get a certificate to hang in your office foyer.
Although the Information Commissioner’s Office (ICO) is responsible for enforcing GDPR in the UK, and would be the organisation to create a UK certification, that hasn’t happened yet. The ICO also has the authority to set up its own certification bodies, which could issue three-year GDPR certifications to UK firms. But again, none of these organisations have yet been created. So for the moment at least, there’s no way to prove GDPR compliance. Instead, you just have to comply as best you can.
Having said that, if you were to suffer a data breach, the ICO would be able to audit your compliance, and ask that you show that you were keeping to the regulations. So what’s the best way to demonstrate GDPR compliance?
The main way is by developing policies, procedures, compliance measures and external controls – and documenting them. By recording your approach to data protection, and what you will do in terms of working processes, you can demonstrate that you are complying with the GDPR.
Your policies and procedures should cover what data you need, how you will collect it, how you will process and store it, how long you’ll hold it for and how you’ll dispose of it at the end of its life.
As part of this last element, you may need to consider how you’ll get rid of paper records that contain confidential data. These might include printed customer records, customers’ letters, supplier or customer registration forms, records of conversations and other documents. Wherever and however you’ve recorded confidential information on paper, you need to make sure those records are disposed of so they can’t be accessed by identity thieves.
If you generate a relatively large volume of paper records, a scheduled data destruction service from a specialist firm could form an important part of your approach, and be written into your policies and procedures. For instance, you might determine that all paper records containing data that no longer needed to be held could be collected and destroyed on a monthly basis. Evidence that this had taken place, such as certificates of destruction, could then be used to show that you had complied with GDPR in this area.
We offer a scheduled collection and shredding service to help companies stay on top of their data destruction obligations. To learn more, visit our page on regular shredding.