Marie Murphy
Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.
However, it being January, we can’t have unfiltered fun. There has to be a sting in the tail so while we hope to cheer you up a bit in the post-Christmas slump, we are also going to provoke some reflection on the current state of your compliance efforts.
Enjoy the quiz and remember if you can’t answer any of these questions at all, Fort Privacy is happy to help prepare you for next year’s quiz!
A1: What is GDPR? I never heard of it.
A2: That is soooo 2018. That bandwagon has long been replaced by a newer one.
A3: Is this a serious question?
A4: We are 100% Compliant.
The Correct Answer: None of the above.
At least answers A1-A3 are honest answers! A4 is my own personal favourite. I always say anyone who thinks they are 100% compliant doesn’t understand compliance!
I hope your organisation has a programme in place and you are constantly working towards compliance. However, organisations don’t stand still and that makes compliance a moving target. As soon as you think everything is covered, something will change often prompting DPOs to leave the building in tears! Compliance is something that needs constant care and attention.
A1: Never, I don’t think we have any policy documentation.
A2: When GDPR came into effect in 2018 we bought a great set off the shelf.
A3: Just before our last DPO was seen running out of the building in tears.
A4: Every year we have a senior management signoff, but our documents haven’t actually changed since 2018.
The correct Answer: None of the above
Our understanding of GDPR has matured since 2018 and we have learned a few lessons about our policy documents. They are important internal documents. (Don’t confuse them with the “Privacy Policy” which the pedant in me feels compelled to point out is a misleading title for a “Data Protection Notice”). There is no “one-size-fits-all” so off the shelf is not a good look.
Develop good policies that are relevant to your organisational activities and refresh them annually. When completing your annual review, ask whether the contents are still relevant as your organisation and/or our understanding of the practical effects of the GDPR may have moved on.
A1: It is a catalogue of horrors.
A2: Yes! I know that one. I’ve never seen one IRL though.
A3: No, but I am sure our DPO (who was last seen running out of the building in tears) knows.
A4: We keep ours locked in the safe with the company chequebook which is getting quite dusty since our banking went online.
The correct Answer: None of the above
A Record of Processing Activities (ROPA) does what it says on the tin. It records all the purposes for which you process Personal Data along with the lawful basis for each processing activity along with other important information about the processing. Its not the easiest document to create and maintain but it’s a very important document.
Aside from the fact that it’s a legal requirement, capturing vital information about the processing activities you are carrying out is the bedrock for all of your compliance efforts. For instance, this may be an obvious one, but unless you know what you are doing with Personal Data you can’t accurately inform data subjects about it.
A1: We don’t have any risks. We are a risk-free zone!
A2: We outsource all our risks to our suppliers. They take all the risks, its what we pay them for.
A3: Well, we used to add them to the DPO’s to-do list before they ran out of the building.
A4: Yes, we have a risk register which we review every quarter at a meeting where there are coffee and scones and our GDPR risks haven’t changed since 2018 so we must be doing a great job.
The correct Answer: None of the above
GDPR looks for a risk-based approach to data processing and compliance. It asks that organisations processing personal data take into account the “risk of varying likelihood and severity for the rights and freedoms of natural persons”. While the GDPR requires that the data subjects are considered, risk to your employees or customers ultimately poses risks to the organisation be that reputational damage or material loss.
Organisations must understand their risks and take appropriate steps to address those risks by reducing the likelihood of them occurring and being prepared to reduce the impact if they do occur. That includes managing your suppliers if you have outsourced any of your processing activities.
A1: A what now?
A2: We don’t know what our high-risk processing activities are.
A3: Our DPO suggested something like that just before the fateful day when they left in tears.
A4: Yes, we held a meeting and even brought coffee and scones. There are minutes on the server.
The correct Answer: None of the above
Theres no right or wrong answer to this one. Organisations must start their compliance journey somewhere and you need to be pragmatic. There is no point in completing deep dives if you haven’t got a compliance programme because you will be overwhelmed by the findings.
Once you do reach a level of maturity as an organisation focused compliance reviews will reduce the risks to your organisation and to your customers. They are very beneficial at weeding out the unknown unknowns that are lurking in the shadows and could catch you out at any time. Think of them as a powerful torch capable of digging into the dark recesses of your use of employees, customers, members or patients’ personal data.
Evaluating your answers
All A1s: My goodness you need begin at the beginning. We recommend you look at getting a data protection programme in place.
All A2s: In your favour, you have heard of the GDPR. You might even have done some work on your compliance in 2018. Time to dust off those folders and freshen them up to be 2024 ready. We still recommend you look at getting a data protection programme in place.
All A3s: Buy your DPO a box of hankies and then maybe start listening to what they are advising you. We promise you won’t regret it! Your DPO might need some help to get a structured data protection programme in place. This could be your gift to them in 2024.
All A4s: It sounds like you are trying to do the right thing, but the coffee and scones are distracting you and your efforts, while well meaning, are ineffectual. A bit more focus and structure will pay off dividends.
No matter what your answers, of course Fort Privacy can help! We offer a judgement free service from our team who can come in and help your organisation wherever you sit on your compliance journey:
All you need to do it … ask!
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!
Continuing the tradition of the Fort Privacy Christmas blog this year we are thinking about Santa and AI. Well, we need to keep these articles topical after all!
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data. Here are the top three errors suppliers make and 5 suggestions to avoid them!
