Featured in JEP’s Expert Panel – 15th June 2018
Organisations continue to struggle with the following areas in relation to their GDPR projects:
- (a) misunderstanding how to create policies and procedures that are suitable for their organisation
- (b) weak, informal arrangements to manage and deliver effective governance of data protection e.g. no clear line of responsibility, ineffective recording
- (c) no incident response plan for a data breach or cyber security attack.
Firstly, some organisations think that they should simply buy an “off the shelf” set of policies and procedures for data protection and just insert their organisation’s name at the top of the document. This is a big misunderstanding.
Policies and procedures are best created from the bottom up approach, where you start will your data mapping exercise (what personal data processing do you do, why, how, what data collected etc..), then examine what lawful bases applies to each processing activity, then look at the risk profile of the personal data and then create those policies and procedures which are directly aligned to all of these recorded activities and characteristics.
Policies and procedures must be rooted to your lawful bases review, risk assessment and the underlying data mapping exercise to be effective and accurate.