Data Protection, Electronic and Privacy Law Blog

Keeping you up to date with plain language explanations of your obligations and liabilities under data protection law, electronic law and privacy law. With a touch of cybersecurity and trends like blockchain and quantum computing.

As a responsible business, you know that data protection is a priority. But, just how onerous is the task? Our short guide to creating and implementing a robust data protection compliance programme can help. Cath Jenkin explains how.

Your Data Protection Compliance Requirements

A short guide for SMEs

15 July 2019
Posted in: Data Protection and Privacy

Drop the jargon

Your head is probably spinning from the jargon so, before we begin, let's clear up the confusion: it's no longer okay to merely store your customer, client, or employee data, in a disorderly way. It's imperative to protect personal and commercial information in a legally compliant way, and prevent unauthorised access to any information. For that reason, the General Data Protection Regulation (GDPR) was created, to enable and shape how companies like yours should protect information relating to your clients, business, and individual personal data. Ensuring your company attracts, accesses, and uses personal data correctly is no longer just an ethical concern; compliance is mandatory, and a legal framework must be adhered to.

Assess and begin

You can't begin to understand just how compliant your company is, without first conducting a thorough assessment of how it handles personal information right now. Moreover, how your business secures that information is key. Luckily, your data management approach and implementation is not an intangible idea. Instead, thanks to the introduction of GDPR and other regulatory frameworks, it's a lot easier to take a responsible, accountable approach to managing personal data. Accountability is vital, so adherence is mandatory. But, in all likelihood, your data management approach may have some gaps or oversights when used in practice, as you operate your business. The gap between theory and practice is never a surprise, no matter what you're working on. But, the gap must be crossed to ensure your business is compliant, no matter how big or small it may be.

There's an app for that

Finding a reliable, easy to understand, and even easier to implement, benchmarking tool to assess where your company stands right now in terms of compliance has just turned simple. Before you begin investing in a data compliance programme to ensure your business is operationally aligned with legal requirements, assessing where you are right now is key. Conducting a company-wide assessment of how personal or commercial data is managed is your starting point, and finding the right framework, service providers, and system to do so, should be your first priority. This is where the ProPrivacy team can help with your initial compliance assessment, using Serity, our online application, made with your compliance needs in mind. Developed in-house, Serity offers you an easy way to benchmark your company's organisational compliance level, and start planning towards improvements and evolution. Once you've established your organisational compliance level as it stands today, it's time to:

  • Identify the high risk areas where your business must tighten up its approach and operational data management processes.
  • Prioritise your business' requirements, in terms of ensuring compliance, highlighting the most important tasks to move forward with, and rank all systematic and operational steps, in terms of importance.
  • Consider remedial actions to fix any data processing systems that present a risk to your business and its clientele.
  • Identify key personnel who will take responsibility for implementing these organisational changes, and ensure that data is processed, managed, and utilised correctly, in accordance with relevant legislation and operational needs.
  • Set up and implement a monitoring and evaluation programme that will ensure your business remains compliant as it grows.

Identify the high risk areas

How your business obtains, accesses, and utilises personal information is a fundamental operational principle. And, without a doubt, almost every business process includes some level of personal data management. For an easy to understand example, let's consider the process of finding, recruiting, and placing, new staff. To do this in a moderately successful fashion, your company would have to:

  • Contact potential advertising portals or publications to place an advertisement. To do this, your Human Resources manager may need to: use their email account, communicate with a sales representative at the advertising portal or publication, and sign some type of contract to secure the advertising space. Each step of this first step in the process involves the exchange of personal contact and contractual information. Ask yourself: how does your company process, store, and use that information?
  • Receive and process applications from interested candidates. Applications most often contain highly confidential personal information. Ask yourself: How do we sort, process, and use these applications? What happens to that information once the recruitment process has been completed? Where is that information stored, and how will anyone access it in the future?
  • Place a suitable candidate. In signing an employment contract, your new hire shares personal information with your company. Ask yourself: How does your Human Resources Department store and use that information? How does anyone within your business access and use that information? How does anyone from outside your business access and use that information?

Of course, handling employee data is just one high risk area of your business, where data protection must be a priority at every point.

Prioritise your business requirements

How your company uses and manages data is closely linked to your day-to-day operations. Without the right information, delivered to your team, at the right time, business functions could fall over, systems would stall, and people would be potentially unable to get their jobs done. But, ensuring that information is well secured is imperative. Once you've identified the high risk areas and low risk areas within your business, rank them in terms of priority. Your highest risk areas are the ones you need to act on immediately. And, remember, compliance is not a once-off process; it's an evolving business process. Don't panic if you don't have it all right immediately, but do begin to take action on any gaps and non-compliant data management processes.

Consider remedial actions

Filling the gap between data management theory and practice begins with finding the right solutions for your business. There's no one-size-fits-all solution, because each business is unique in its approach and operations. While the legal frameworks that you're required to comply with enable you to ensure adherence, they don't necessarily offer your business the solution it needs. Create and implement remedial actions that fix the holes in your business' data management processes, to ensure that your company is legally compliant.

Identify key personnel

It's easy to boast about your data protection compliance programme, but who's making sure your company sticks to it, at every level? That's where you'll need to identify key personnel, who take responsibility for ensuring compliance, throughout your company. This may mean hiring new staff members, expanding current team members' job descriptions, or committing your team to new training programmes, so they know how to ensure compliance.

Monitoring and evaluation

You know where your company stands now, in terms of its data protection compliance programme. You've assessed how your business uses personal information, its software, hardware, and physical premises. You've created a road map that'll help your team fix broken data management processes, and ensure legal compliance. Where to next? You'll need to monitor, evaluate, and evolve, your data protection compliance programme:

  • Your data management processes must be closely monitored at all times, to ensure all operations are legally compliant, and beneficial to your business' productivity levels.
  • Internal assessment and auditing of the data your company possesses, and how it is managed, should be done on a regular basis. We recommend a company-wide audit at least once a year.
  • External assessment and auditing of your company's data protection compliance programme must be conducted at least every two to three years. That's where you'll need to call in the experts, to ensure your programme is still legally compliant, and your operational capabilities have not been hindered in any way.
  • Assess your data protection compliance programme, and highlight any new potential risk areas, and begin planning to take remedial actions to fix what needs attention.

No matter how big or small your business may be, accountability is key. Ensuring your company complies with the right legislation, and implements responsible data management processes is a business priority. ProPrivacy can help. Get in touch with our team, and we'll help you find the best solution for your data management needs.



Castletownroche, Co. Cork
Mon-Thu: 10h00-14h30

Contact Philipa

Phone: +353 (21) 234 8890
Mobile: +353 (83) 827 4889

Philipa Farley is an Association of Data Protection Officers Member ProPrivacy is a Cork Chamber Member ProPrivacy is a Mallow Chamber Member Philipa Farley is an Irish Computer Society Member Philipa Farley is a Business Analysts Association of Ireland Member Philipa Jane Farley is a Grow Remote Mallow Chapter Member

Philipa Jane Farley GPG Key - Fingerprint: 2D8E FAA6 B2C6 0754 D13B 2E7D 6A46 D9E6 F2F8 E7DE
ProPrivacy Consulting Limited (t/a ProPrivacy) CRO Reg: 628639 VAT: 3547299MH Registered Office: Bridgetown, Castletownroche, Co. Cork
© Copyright 2019 ProPrivacy Consulting Limited - All Rights Reserved