30 November 2017
With exactly six months to go until the new EU General Data Protection Regulation (GDPR) comes into force, it's a good time to review where you are in the process of preparing to meet your obligations under the new legislation.
As discussed in DataSalon's previous blog on the subject, it imposes responsibilities not only on data controllers but also on data processors. This means that if any external companies carry out processing of the personal data that you collect, you need to check their GDPR compliance as well as your own. Here are some questions you may wish to ask them.
- Do you have a Data Protection Officer (DPO)?
A company must appoint a DPO if its core business activities involve large-scale, regular and systematic monitoring of data subjects. Even if this isn't the case, the formal designation of a DPO would be an indication that the company takes its data protection responsibilities seriously. - Are you registered with the Information Commissioner's Office (ICO)?
The ICO is the supervisory authority responsible for monitoring GDPR compliance within the UK. Although registration with them is not a requirement (GDPR focuses on documenting rather than registering data processing activities), again it would show commitment to data protection and security. - Where is your data stored and processed?
A data processor should be able to tell you what security standards their data centres adhere to. The location of the data centre is also important, since GDPR states that personal data should only be transferred outside the EU if the country provides EU-standard protection. And don't forget to check whether the data processor subcontracts any of its work to other companies. - What data security measures do you have in place?
Look for an assessment of the security risks involved in the processing of your data, and measures such as encryption put in place to mitigate those risks. Check that all staff involved in handling your data understand their data security obligations. - How will you deal with breaches of security?
Since GDPR requires data controllers to report significant breaches to the data subjects in a timely fashion, you need to be sure that your data processors will be proactively checking for breaches. It's also worth asking if they have ever had a breach in the past and, if so, how it was addressed. - How long do you retain data?
While it's up to you to acquire consent for data processing (and ensure that your data processors understand the terms of that consent), the data processor must be able to ensure that the data is only kept for as long is required to carry out that processing.
This post was published on the DataSalon Blog on 24 November.
Category: data