Evolving Your Management System for GDPR
Many of us have been inundated with emails from businesses and organisations asking for our ‘consent’ to allow them to stay in touch due to ‘GDPR’ and data protection changes. If you haven’t been involved in getting your organisation ready for GDPR then you can be forgiven for thinking that’s all the new regulations are about.
Organisations who control or process personal data need to establish if they undertake regular and systematic monitoring of individuals on a large scale. Public authorities or bodies, those processing special categories of data or processing on a on a large scale require Data Protection Officers and we can expect that they have been appointed and working on GDPR readiness for some time. However, there are many organisations only just realising that GDPR is relevant to them and recognising that their customers, employees or other stakeholders need to be able to trust them to properly look after and use their personal data responsibly and securely.
There is much more to GDPR than just marketing consent.
Applying the principles of integrated management, GDPR should be seen as an opportunity to evaluate the personal data utilised by your organisation to establish what you have, how you keep it, where it’s located, who has access to it, when it’s accessed (related processes) and to ask yourself why do you need it (value and legal basis) from the perspective of the management of the whole organisation. Like everything else, the upsides and downsides of each use of pesonal data should be understood, legally compliant and safeguard the stakeholder's needs, expectations and aspirations.
With the volume of data that we can now effortlessly and cheaply hold and share it's easy to forget to ask the simple ‘why’ do we have this personal information ?
Awareness of your structures and processes that deliver your organisation’s purpose, record requirements for contracts or compliance, and knowing where data is utilised will help with understanding why you need it. This approach not only helps GDPR but can help make your structures and processes more effective and efficient by ensuring that everything is adding value and not exposing the organisation to unidentified, unassessed or unnecessary risk.
Only when you have identified all the personal data that you are holding and using can you decide :-
• the legal basis for having it,
• if you are a Controller or Processor,
• if you are ‘sharing the data’ with anyone,
• what personal information risks exist.
Consider simply asking yourself ‘If this was my personal information would I be happy with how it’s being used and stored’?
After identifying the personal data your organisation needs and checking the legal basis for processing it, you should document this decision for future reference within your management system records.
Are your controls suitable and sufficient?
You need to act to address poor process, or any personal data security risks. After all this will be much preferable to having to respond to a breach or loss incident! There is no need to create a new process for this, consider utilising your existing improvement tools or processes to do this.
Provide transparency to your stakeholders on how you are protecting their data
Applying the principles of integrated management, document your data controls and policies within your management system and communicate this both internally and externally. Adding to your website is generally the simplist means of communication.
Things to consider include:-
• What is your privacy policy?
• How would you respond to a data breach or loss and how sophisticated does this need to be? It could form part of existing complaint and crisis management arrangements.
• How would you ensure data subject rights, such as subject request or right to be forgotten?
• How long do you need to keep personal records for?
• What records are you sharing, do you have agreements in place with data processors for this?
• Are you transferring data internationally (outside EU), do you understand the implications of this?
• How do you assess the impact on personal data management of strategic and operational changes?
Monitor your data protection controls
Utilise your management system audit process to monitor compliance and be risk informed. Assess your controls and identify opportunities to improve personal data management. Personal data management could be a key part of every process audit, but remember, the audit process will also generate personal data.
Manage Change
As your organisation changes and develops, the impact of these process and management system changes might seem at first glance to be unrelated to personal data. The data and personal data aspect facets of any organisation structure or process can be better understood and considered by taking a holistic view within the context of a fully integrated management system. The universal management system standard MSS 1000 is ideally structured to facilitate this.
When improving or initiating change in your organisation you can consider the personal data impact and instigate a ‘privacy by design’ approach i.e. each new service or process that makes use of personal data must take the protection of such data into consideration. An integrated management system can facilitate this approach and ensure change is implemented effectively. This ensures that personal data is always addressed along with everything else in the designing and implementation of new or modified structures and processes that deliver the organisation’s purpose.
Respond to Incidents
The most that your arrangements to manage personal data can do is to minimise the likelihood of undesired events that could potentially negatively impact your stakeholders – such arrangements always have residual risks. If despite your best efforts a data breach or loss occurs, utilise a reactive investigation and your documented reporting procedures to report a significant event to stakeholders such as regulatory authority and data subjects.
So, as you can see GDPR is much more than seeking ‘consent’ to keep an individual’s personal data - it has tentacles that spread out into the structures and processes of the whole organisation. The new regulations provide organisations with a valuable opportunity to better understand and improve their personal data management within the context of overall integrated management. An integrated management system can provide the ideal structure and tools to most readily achieve this. MSS 1000 provides expert direction and guidance that can be freely downloaded.
MSS 1000:2014 is a universal management system standard enabling organisations to create fully integrated management systems directing and guiding their total strategic, tactical and operational management processes.
This free to download standard addresses all of the general aspects of managing an organisation to achieve excellent all-round performance and avoids the need to comply with multiple fragmented standards. It takes a fully structure and process focused approach and seamlessly includes quality, prospect and risk management best practice.
