I’ve found while consulting and implementing GDPR solutions and systems that owners and managers of organisations have somehow been lead to believe once “all” their (identified) GDPR activities have been completed, and their organisation has been brought into compliance (before or just after May 25th, 2018 deadline) that no further work is required.
Unfortunately, this is not the case. Like health and safety, fire and similar compliance and regulations, this requires ongoing monitoring and maintenance once in place (more on maintenance in a future post).
That said before you start thinking about maintenance let’s ensure that you have the fundamental GDPR requirements in place first.
With this in mind listed in the section below are 8 signs your organisation may still not be GDPR compliant. Each of these areas we have found to be still missing, and quick wins dependent upon the size of organisation and industry.
8 Areas to Check or Review
1.Not Paid Data Protection Fee
This is ONLY applicable to UK organisations (including sole traders) only and is one that falls through the cracks of businesses, which are typically not heavily regulated.
During our work, I’ve heard “nobody told me that!”, “I didn’t know we had to pay a fee!” or “We don’t have to pay anything, anymore”. Unfortunately, ignorance will not allow you (if you are the owner) or your business to get off. In fact, if you have been found not to have paid your Data Protection Fee you will be breaking the law, and fined up to the maximum penalty of £4,350 (150% of the top tier).
I had one client who kept delaying paying the fee because they were scared that the Information Commissioner’s Office (ICO) would come after them for back payment. Please do not worry, just start from where you are, and pay.
The cost of your Data Protection Fee is dependent upon the size and turnover of your organisation. Ranging from £40 to £2,900. You will find that most organisations will be £40 to £60.
You can pay your Data Protection Fee by clicking this link to the ICO.
One final thing about the Data Protection Fee, you will be fined for either nonpayment or not paying the correct fee if caught.
2. No EU Representative
No EU Representative (Non-EU/EEA only)
3. No Privacy Notice(s)
3️⃣ No privacy notice(s)
4. No Inventory of Processing Activities
4️⃣ No Inventory of Processing Activities (aka Record of Processing Activities)
5. No Contracts in Place
5️⃣ No contracts/agreements in place with vendor(s)/supplier(s)
6. No Data Breach Response Procedure
6️⃣ No Data Breach Response Procedure
7. No Data Protection Impact Assessment Procedure
7️⃣ No Data Protection Impact Assessment Procedure
8. No Data Subject Access Request Procedure
8️⃣ No Data Subject Access Request Procedure
Can you think of any more signs? Share your thoughts in the comments below 👇🏾
Let us help you put in the right data protection systems in place.
We can help with:
✔️Data Subject Access Requests Procedures
✔️Data Breach Procedures
✔️Data Protection Impact Assessments
✔️Data Protection Guidance & Support
✔️Data Processor/Vendor Assessments
✔️DPO Managed Service
📌Schedule your confidential and FREE 45-minute Discovery Call now. Click the “Schedule Call” button below.