Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Del
Newcomer III
‎02-09-2018 11:57 AM
‎02-09-2018 11:57 AM

GDPR Article 5(2) - Demonstrate compliance ... but how?

I've been reading the text of the GDPR ... don't laugh, I think it's worth doing 🙂

 

Article 5.2 states "The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)."

 

<http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679>

 

I get that, and I'm not going to argue it ... but let me ask the stupid question ... how do I actually demonstrate GDPR compliance?

Reply
0 Kudos
3 Replies
skyflier21
Newcomer I
‎02-09-2018 02:06 PM
‎02-09-2018 02:06 PM

This could go on and on, sorry...... so some bits:

 

The answer is document, document, document... need to be able to show a culture of ‘privacy by design’ and transparency for the data subjects..

 

Security structure which should be from the top.

all information assets what they contain personal information wise.

what legal reasons there are for processing this information (reasons for processing)

carry out privacy impact assessments and risk assess

record information flows, who has access, how and why

all the control measures that are in place, physical, organisational and technical

all the training of staff on data protection

all the contracts with third parties

any information transfers especially to third countries and how that is protected.

all consents and what they consented to and show that it was informed

privacy notices for the data subjects

The breach processes

record retention periods for the information assets

how to handle data subject rights.

 

I will have missed bits off but hopefully you see the idea.  After that I think it depends on the type of company, e.g data controller needed or not etc.  Other bits like no opt outs on web sites, opt in only.

 

hopefully the above helps, as you may guess I have been doing the above 🙂

 

Reply
0 Kudos
Elux-Lucis
Viewer II
‎02-12-2018 03:32 AM
‎02-12-2018 03:32 AM

Hi there,

 

GDPR can be a daunting beast. When you come to question like that try and switch places with the Authority.

 

If you visited another organisation and asked them to prove they were carrying out the activities in Paragraph 1, what evidence would you believe?

 

As mentioned, documentation is a number one item, but you also then need to show that this is being followed and is embedded in culture, not just IT systems (staff awareness and training) e.g., how do you check that privacy has been considered during design, an not just bolted on afterwards; do you have  gateway check during project delivery?

On the wider picture, there are organisation that can assist with refining standards into defined control sets, but make sure you do not turn GDPR into a tick and flick exercise - that will undoubtedly result in a fail Smiley Wink

Reply
0 Kudos
phollan1
Newcomer I
‎02-16-2018 06:10 AM
‎02-16-2018 06:10 AM

Basically evidence and documentation of what you are doing and what you are not doing and why

Reply
0 Kudos