Context:
In several instances the GDPR stipulates that controllers and processors need to be able to demonstrate compliance with the regulation:
- Demonstrate compliance with Processing principles – Article 5(2)
- Able to demonstrate that processing is performed in accordance with this Regulation – Article 24(1)
- Processor to provide evidence of compliance – Article 28(3)(h)
- Data Protection Impact Assessment to contain the monitoring measures – Article 35(7)(d)
- Data Protection Officer tasks include monitoring – Article 39(1)(b,c)
Considerations:
The supervisory authority could investigate your processing activities at any time. It is therefore important that you establish and keep ongoing records.
When exercising their rights, individuals can also request information and if you have records to hand you can respond within timeframes laid out in the regulation.
Having a system, such as Gydeline in place, which shows your level of compliance is a good way to prove that you are taking the GDPR seriously, have a plan and are monitoring your ongoing activities under the regulation.
How to:
Keep records of your processing of personal information and the systems and policies which you have around these including:
- Data Protection Impact Assessments
- Consent records
- Data Protection Policies
- Data Protection Officer role and responsiblity
- Privacy notice/policy
- Security policies
- Training records
- Processing activity records
Common Scenarios:
A complaint has been made to the supervisory authority
Provide suporting information that shows you are compliant with the regulation
References:
-
-
- GDPR Recitals: 97,
- GDPR Articles: 5, 24, 28, 35, 39
-
