As with all projects undertaken by any organisation, the key personnel and decision makers must “walk the walk” to demonstrate support for the beneficial culture of data protection compliance.
Thus these are the prime focus of awareness raising and briefing when installing the changes due to GDPR.
Within the organisation, to encourage the absorption and use of data protection procedures, this key group of people will need to:
- lead by example,
- demonstrate accountability for compliance with the GDPR
- following the Accountability process
- creating the appropriate Security Policy and following it
- undertaking any Data Processing Impact Assessments as necessary
- ensuring the appropriate reasons for accepting data are complied with:
- Legal Grounds - including Legitimate Interest
- Consent
- Public Duty
- Vital Interest
- that the rules are followed pertaining to:
- moving data across international boundaries
- alerting the ICO in the event of a data breach (via DPO if appropriate)
- maintaining appropriate Processor Contracts
- ensuring the Automated Decision-Making processes are set up
- developing the organisation in line with the Protection by Design approach
- appointing a DPO as required
- paying the costs of GDPR rules including registering with the ICO
- promote a positive culture, within your business, for data protection.
- take the lead when assessing any impacts to your business
- encourage a privacy by design approach
- help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.
To be clear, the penalties faced when GDPR is breached, are as much for the directors as for the organisation itself. This is not a scenario where senior management can say that they know that things should change but they want to keep certain areas as they were. This has to be across the organisation from top to bottom.
However, any official penalties fade into insignificance against the loss of organisational value when an organisation's reputation is destroyed by virtue of loosing personal data and having it turn up with a criminal.