We often get asked, “Will your solution make us GDPR compliant?” This is a little like asking whether being Mary Berry’s grand-daughter means you can produce a great Victoria sponge; it would certainly help but there is a lot more to it than that.
There is no solution that will make you GDPR compliant; compliance may only be reached if the behaviour, processes and solutions within an organisation meet or exceed those required to uphold an acceptable level of data security and privacy, as defined within the Regulation. Your compliance is only as strong as the weakest link.
Data Privacy and protection is a fundamental core function that should be part of your daily routines from the ground floor up. There is no point implementing a solution to handle part of your compliance without also addressing the processes in place and behaviour of staff when handling data.
Some feel that a simple change of Privacy Policy on their company website should do the trick. Changing your Privacy Policy alone, does not make you compliant!
- Can you deliver all the points mentioned in the Policy?
- Do you keep records of Data Subject requests to exercise their rights?
- Do you know where your data is stored?
- If you are using third party data processors, do you know where their role ends and yours begins?
- Do you have an effective complaints policy, procedure and process?
- Are there processes in place, for all staff, that help them recognise and act on:
- A data breach or potential data breach?
- Subject Access Request?
- Request for deletion?
- Challenge under legal basis for processing or holding data?
- A request to restrict processing?
- A request to transfer their data to another provider?
- Any other action or complaint they may receive?
GDPR and the new Data Protection Act, do not stop after introduction; they are ongoing business processes that should develop, adapt and improve over time.
In answer to the original question, if you are looking to underpin your drive for compliance, our solutions will certainly help; they tick the box for “appropriate technical measures” and can be used to deliver sensitive, private documents using secure, encrypted methods. However, the regulation also has a second part to that clause – “organisational measures”, and these, my friends, are down to you.
