While many of the GDPR’s predecessor the Data Protection Directive’s core principles and obligations remain unchanged under the GDPR, it does impose new and additional requirements. A new cornerstone of the GDPR is the obligation to not only comply with, but to also demonstrate this compliance.
Meeting the accountability requirements will mean doing more than just establishing data protection policies and procedures, these changes need to be embedded in an organisation’s culture. Staff will need to be educated on changes that are happening, including what the changes are and why they are happening, and be trained on new processes.
Accountability will require organisations to be able to demonstrate compliance with the GDPR by showing the supervisory authority how an organisation complies on an on-going basis. This means that processes will have to be reviewed regularly, and staff should be offered support as they adapt to the new framework.
It is not an organisation that changes, it is individuals, and for an organisation to implement effective change enough individuals need to act on it. For the changes GDPR brings to be made a permanent part of an organisation’s culture reinforcement should also be offered; staff should be thanked for their efforts if the new processes are implemented, but if they don’t this should not be ignored.
Evidence of compliance should include internal policies and processes that comply with the GDPR requirements, but this in itself will not change staff behaviour. The effective implementation of the policies and processes needed into an organisation’s activities will require staff to be managed and assisted through the implementation. There are plenty of change management systems, but whichever method chosen staff need to know what is changing, act on it, and continue to use the new systems and processes.
The obligation to demonstrate compliance replaces previous obligation to notify local data protection authorities of processing activities. The onus will be on continuous data protection that can only be implemented with thorough lasting behavioural changes within an organisation.
Download our Risk and Confidence Survey at http://www.cnahardy.com/pulse
Next: Data Subject Rights: What Actions Are Needed to Comply under GDPR