One of the major changes in Data Protection legislation brought about by the General Data Protection Regulation (2016) is that a new legal principle has been introduced requiring us to be able to evidence how we comply with the law:
"The controller shall be responsible for, and be able to demonstrate compliance with [the other principles]" (Article 5)
We now need to be proactive about data protection, and evidence the steps we take to meet our obligations and protect people’s rights.
Taking responsibility for what we do with personal data, and demonstrating the steps we have taken to protect people’s rights results in improved legal compliance. Accountability is a real opportunity for us to show, and prove, how we respect people’s privacy. This can help us to develop and sustain people’s trust.
Furthermore, if something does go wrong, then being able to show that we actively considered the risks and put in place measures and safeguards can help us provide mitigation against any potential enforcement action. On the other hand, if we can’t show good data protection practices, it may leave us open to fines and reputational damage.
Under Article 30 of the GDPR, most organisations are required to maintain a Record of Processing Activities (ROPA), covering areas such as processing purposes, data sharing and retention.
Documenting this information is a key way to take stock of what we do with personal data. Knowing what information we have, where it is and what we do with it makes it much easier for us to comply with other aspects of the GDPR such as making sure that the information we hold about people is accurate and secure.Information Risk Assessment Tool
At ARU we have recognised the importance that we map our University’s use of personal data as we manage our GDPR compliance. In 2018 we developed our GDPR Information Risk Assessment Tool (IRAT). It is designed to establish our position in relation to the Data Protection Act, enabling us to analyse what we do and where necessary make appropriate changes.
The audit process gives us a clear understanding of the Data Protection controls we have in place, makes sure that we’re consistent in the way personal data is handled and enables us to demonstrate how we meet the more detailed GDPR compliance requirements.