By Jason Turner, Data2Action (Apr ’19)
Some time ago we launched our GDPR ‘Healthcheck’ services.
Specifically designed for SME’s, this service is designed to be a simple and affordable high level review of progress made against the requirements of GDPR. With so much hype and conflicting advice in the run up to 25th May 2018, we found that businesses have been keen to have an independent ‘sanity check’ on just how their organisation has been doing when considering the new regulatory requirements.
Our ‘healthcheck’ covers a number of key areas including:
- Governance and Control
- Staff training and awareness
- Dealing with Data Subjects rights
- Dealing with data breaches
- Managing 3rd parties
- Implementing Privacy by Design
As the diagram shows, 59% of our health check criteria is being met. Whilst its virtually impossible to compare that to a starting point (reporting on previous data protection compliance was pretty limited), our view is that this highlights that some progress has been made and that SME’s are taking some action to meet the new regulatory requirements.
Looking more closely at the areas reviewed, the results from the individual areas are quite broad. There appears to be some pretty good progress on staff training and awareness and governance activity as businesses have looked to improve staff knowledge and update policies and procedures. Interestingly, results also show that more could be done to ensure any training has actually been fully understood plus businesses ensure proper control mechanisms are in place to check policies and procedures are being followed.
A constant theme from our audits is the mixed progress with dealing with 3rd parties, dealing with data subjects and their rights and understanding and developing a privacy by design culture.
In specific terms we have noted:
- Businesses still have quite a bit to do in terms of recognising who they share data with and ensuring they are meeting the requirements of the regulations.
- Despite training, actual understanding of the regulations and recognising and acting upon rights of Data Subjects is still somewhat of a ‘mixed bag’.
- Having an ongoing programme to develop a culture of privacy in organisations still needs some work.
Whilst all of the above should be balanced with the Organisations attitude to risk, our overriding view is that progress is being made but there is still work to do!
To find out more about our Healthcheck services, please contact us at email@example.com