Preparing for the GDPR: Step 3) Moving to Continuous Improvement
Regardless of the regulation, some organisations’ approach to ongoing regulatory compliance is to adopt a continuous improvement model. The rationale being that any given audit, whether internal or external, is conducted at a point in time and is therefore a snapshot of the state of compliance at that given moment.
The trouble with this approach is that today you could be compliant, but not be tomorrow. It only takes a small incident, issue or risk to impact for an organisation to appear incompliant when marked against a checklist of compliance activities, when in reality, incidents and risks impact routinely and are continually remediated as they surface.
Does this mean that the organisation is generally incompliant? That’s unlikely.
Continuous Improvement in Data Protection
“Changes to existing processes and controls could increase efficiency and generally improve overall compliance.”
Narrowing the focus to data protection compliance (for GDPR), assuming your organisation has gone through a GDPR Audit Assessment, initiated and completed a Compliance Project to address the findings and recommendations from the audit, what should you do next?
There may still be some lower level risks from the audit that require remediating, so it makes sense to start tackling these. There is also a need to review the processes, controls, policies and procedures that have been implemented on an ongoing basis, to ensure what has been implemented is working effectively and appropriately.
Changes to existing processes and controls could increase efficiency and generally improve overall compliance. This is where Continuous Improvement comes into effect.
Examples of Continuous Improvement working
Here are a few examples of Continuous Improvement working well for some of our organisations:
o After the policy was reviewed in the Continuous Improvement project, it was reduced to 5 pages, introducing more “layman” and transparent language.
– Department heads were provided training on Data Protection by the DPO. The heads of department then cascaded that training to their direct reports, self-certifying their direct reports’ undertaking and understanding of Data Protection training.
o After this process was reviewed in the Continuous Improvement project, a computer based training (CBT) system was introduced & rolled-out. It now automatically sends out training materials, forces completion and tracks all employee activity and understanding.
– All Subject Access Requests (SARs) were forwarded to the Data Protection Office where they were manually addressed and tracked within the email system. Fortunately, the number of SARs received per quarter was less than five, and processing the requests generally took less than 40 days, although there was no tracking of when the request was first received.
o After this process was reviewed in the Continuous Improvement project, the organisation adopted an existing Incident Management system to log, track, create/assign actions, investigate and respond to requests. This proactive response not only helps to safeguard against any sudden increase of SARs, but also mitigates against the risk of accidentally missing deadline dates or adopted formal roles and responsibilities, as well as improved collaboration.
It isn’t a huge leap to realise that continually improving services and compliance is simply common sense. Where time, resource and budget permits, continually improving helps organisations stay ahead and can often bring competitive advantages, especially in industries where regulations change often, or where industries become regulated. Let’s face it, the amount of regulation in the modern world isn’t going to decrease, it will only increase over time.
Organisations that think “we’ll do that tomorrow” are often the ones that fall behind and don’t keep up with an ever-changing system and data landscape.
Winterhawk offers a variety of Data Protection, Privacy and GDPR services. For more information, visit our GDPR Services page.