In order to become ‘GDPR’ compliant one of the things you will need to do is to put in to place appropriate organisational and technical measures to keep information confidential, as it should be and available when you need it. You also need to be able to restore availability in the event of an incident.
In terms of the organisational measures these might be policies [setting out your usual approach to data protection] and procedures [directions to employees as to what should be done].
However, compliance is an ongoing issue and, with the best will in the world, employees may not do what they have been asked to do or what is expected of them. Indeed, managers may not supervise them. This puts your organisation at risk.
We can carry out an audit of your policies and procedures and, in doing so, check to make sure they are being followed. If they are not being followed, then we will let you know. If our audit suggests there is a need for additional compliance measures to be taken we will recommend corrective actions. We will then, having given you time to put the measures in to place, carry out a follow up assessment.
You may also make use of a data processor i.e. organisations who process your employee or customer personal data on your behalf. At the start of the processing relationship you will have entered in to a written contract with them. As part of the initial discussions you will have assured yourself that they had in place appropriate technical and organisational measures to keep the information you entrust to them safe.
Under GDPR the processor is required to make available to you all information necessary to demonstrate that they comply with GDPR. They are also required to allow you to audit and inspect them.
We can carry out an audit/ inspection of your chosen data processor for you and report back to you.
For further information please contact us.