"We're GDPR Compliant"
Almost every client that we talk to claims to be 'GDPR compliant'. First of all, we don't buy into that because GDPR is not a destination but a journey. By that we mean that Privacy isn't something you do once and forget about, like Y2K was. It's an on-going process, something that needs to be at the core of who you are as an organisation. Legislation changes (even GDPR continues to be clarified by the European Data Protection Board), your products change, and the markets in which you sell may change. Your 'compliance' is represented by shades of grey, depending upon your knowledge, risk tolerance level, market forces and the potential for risk of harm to your data subjects.
When we go on to talk to these clients, here's the most common areas that we find missing:
Controller or Processor Records
Any organisation that engages in processing activities that are not occasional, or that could result in a risk to the rights and freedoms of individuals, or involve the processing of special categories of data (e.g. health or wellness data, medical records, MUST maintain controller records. These are detailed records are described in Article 30.
Any controller (i.e. you) that engages another organisation to perform processing on their clients data (that is called a processor), must have a contract that describes amongst other things the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller (Article 28). These processors could be your online backup service (e.g. DropBox), your email system, your online accounting system etc. Most of the clients we talk to are unaware of this requirement. Furthermore, these processors should be listed in your Privacy Statement.
Data Protection Impact Assessment (DPIA)
Article 35 stipulates that processing using new technologies (e.g. facial recognition, wearable devices, machine learning or artificial intelligence), and especially those is "likely to result in a high risk to the rights and freedoms of natural persons" requires a DPIA to be performed. In addition, most people don't realize that both the ICO and Surveillance Camera Commissioner recommends that a DPIA be performed prior to installing a CCTV system.