Demonstrating Compliance with the GDPR

Introduced in 2018 by the EU (and adopted into UK legislation), the General Data Protection Regulation (GDPR) is a regulation which grants individuals in the EU and UK rights over how their data is processed by organisations. Any organisation that handles individuals’ data must comply with the legislation, but demonstrating this compliance isn’t always straightforward. The Data Protection Act 2018 gave the Information Commissioner’s Office (ICO), the UK’s privacy regulator, the ability to accredit certification scheme providers for demonstrating GDPR compliance.  

While this would be the easiest way to demonstrate compliance, a broadly applicable certification scheme, unfortunately, does not exist. The ICO did approve 3 certification schemes in August 2021, however these were for quite narrow purposes: IT asset disposal, age appropriate-design and age assurance. A certification scheme that is appropriate for organisations of all different sizes, sectors and industries is still yet to materialise. 

In order to comply with the legislation, many organisations formulated project teams to address GDPR compliance in 2017/18 before the Regulation came into effect in May 2018, with the majority of these teams being dissolved once it was felt that compliance had been achieved. While some organisations appointed a data protection officer (DPO) or compliance manager, GDPR compliance has, in many cases, slipped into the background since then. We at URM appreciate that it is incredibly difficult to maintain compliance, particularly to legislation as complex and stringent as the GDPR, as other business requirements take priority.  

However, compliance to the GDPR is mandatory, and under the ‘accountability’ principle of the Regulation, your organisation must be able to demonstrate and evidence its compliance. The British Standard for Personal Information Management Systems (PIMS’), BS 10012, does provide a best practice framework for developing and implementing a PIMS. It isn’t an international standard like ISO 27001, or a complete model for compliance to the UK GDPR, but it is aligned with its principles and is a good place to start. But BS 10012 conformance cannot be relied upon as a quick solution for demonstrating GDPR compliance.  

How, then, can you demonstrate compliance to the UK GDPR if you need to do so quickly? One approach is to organise an external audit, conducted by a GDPR or data protection (DP) practitioner. If executed properly, this will evidence your compliance with the GDPR. Beyond this, however, an external audit can also provide you with an opportunity to receive guidance and insight into good data protection practices that other organisations have adopted.   

Valuable GDPR compliance audits are not just about helping you comply with DP and GDPR requirements (although they are very useful in this way), but also about allowing you to make sure your organisation is complying with its own measures that it has implemented to achieve GDPR compliance and protect the data it processes.  

The following are some key questions you should consider in order to help you determine how compliant your organisation is with the GDPR.  

• Are you complying with your policies? 
• Have you reviewed your consent mechanism? 
• Have you continued to evaluate third parties and their contractual conditions? 
• Have you properly maintained your register of processing activities? 
• Has your organisation seen any changes that would invalidate your lawful grounds for processing?  
• Have you reviewed your data flows in line with any changes? 
• Have you maintained your data protection impact assessment (DPIA) records, and are you conducting DPIAs as and where required? 
• Are you able to effectively process and respond to data subject access requests, within the allocated timeframe?