Compliance is not a target, it's a continuous journey
17 Nov 2021
GDPR arrived with us in May 2018. With it, and without a legal requirement to do so, but a desire to really understand the subject, we engaged with a company called Compliance and Privacy Solutions Ltd to provide us with both a Data Protection Officer (DPO) and the guidance to go above and beyond with our responsibilities around personal data. As Compliance and Privacy Solutions say, “Compliance is not a target, it’s a continuous journey” and we have been on that journey ever since. As well as audits and advice, they also provide us with the means for training our staff through their staff awareness training and we work together to ensure that policies are operationalised within the organisation.
As an organisation we do not control large amounts of personal data save the communications we make from the point of view of our a commercial, marketing, consulting, support or learning functions. We do however, work with a number of large companies, their marketing data and Martech systems so it is vital for us to understand the impacts to them and our work often as data processors.
It is interesting that as a by-product of looking through our data storage and processes we have identified many small efficiencies in our processes, areas of data (including even non-personal) that could do with an improvement in process, access and deletion.
We already have a good on-boarding and off-boarding journey for our employees but it has been interesting to see a small number of cases where the two processes are mis-aligned and data creation or removal is done because someone in the organisation just knows it needs doing rather than a traceable, repeatable process.
Central to our understanding is the creation and maintenance of a data inventory although we are now in the process of converting this to a full ROPA (Record of Processing Activities) . This allows us to see what types of personal data we capture, how it arrives or is created, through retention rules and finally on to deletion. We also look to see who has access to the data and Compliance and Privacy Solutions help us to understand any relevant regulations that apply to each case.
In parallel to this, the Martech we help support all have ways of dealing with similar issues including subject access requests. We obviously aim to be able to work with any of our partners to be able to guide them in the best ways to manage their data to minimise risk to their business or minimise the effort should any issues arise. We have to make sure that any of our employees that work with a partner understand their full responsibilities to that partner’s data.
Any partnership with another company whether joint-controller, controller-processor or vice versa will need the necessary data processing or sharing agreements so it is important to be able to speed the processes of documentation creation, understand the requirements of such relationships and how that impacts individuals assigned onto projects on a daily basis. We want any partners that we work with to know that Purple Square are a safe pair of hands, even helping or guiding them with their responsibilities as necessary.
We had pretty good results from our latest data audit but there is a good stream of ongoing work to make our processing even better. In addition to those items mentioned elsewhere, just some of the subjects on our radar now, or in the past include:
- Data at physical work environments or home offices
- Technical identification of personal data in the case of an access request
- Data suppression
- Policies for key areas of our business – Commercial, Operational (HR) and Marketing
- Data sharing logs
- …And let us all have a collective head-scratching session as we seek to understand the implications of Brexit and what that means to an organisation that works in the UK and EU/EEA (as well as worldwide)!
There will always be new partnerships, clients, systems, and business processes to work with, new employees to ensure understand responsibilities for looking after both internal and external data. To date, Compliance and Privacy Solutions have ensured that this journey runs as smoothly as possible and look forward to a long and fruitful relationship with them.