GDPR Compliance Stage 4: Recording and Reporting
Even though GDPR introduces a number of recommendations to prevent breaches of people’s (PII) personal identifiable information, it also recognises that they may still happen from time to time. It therefore makes it the clear duty of every data-holding organisation to report certain types of personal data breach to the relevant authorities.
The new regulation also rules that “if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay”. Furthermore, you need to be able to demonstrate that you have kept records of all data breaches, even when they are not the type requiring a report to the authorities.
To accomplish all this, you should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will make it easier to determine whether you need to notify the relevant supervisory authority and the affected individuals.
The need for speed
GDPR stipulates that the report to the relevant supervisory authority must be made no more than 72 hours after becoming aware of the breach ‘where feasible’ – so in effect you need to be able to generate the report immediately.
According to GDPR, you also have a responsibility to ensure GDPR compliance of your supply chain. And you need to clearly document the technical security measures that your organisation has in place, so you can demonstrate them whenever required.
To comply with the new standards in transparency, accountability, and record keeping set by GDPR the organisation needs to be more transparent about its use of data at every stage, clearly documenting every item and every process, including:
- The purpose of processing
- The categories of personal data processed
- The identity of third parties with whom data is shared
- The legal basis of such transfers
- Organisational and technical security measures
- Retention times for each dataset
The good news is that, with the first three phases of GDPR compliance taken care of (see our earlier blogs for full details) you should be automatically keeping the records that enable you to report on data breaches speedily and accurately.
A menu of Microsoft solutions
The simplest, most effective way to achieve all this is to switch to the suite of Microsoft cloud services that automatically track and record, centralise and streamline all the technical and administrative steps required for compliance. You will then be in a position to demonstrate due diligence and be ready to handle any data access requests.
Ready to hear about a solution that can not only enable you to comply with GDPR, but also make the whole business more efficient and potentially profitable? Ask the Fabric team for a free consultation. We’ll show you which combination of Microsoft products is most suitable for your specific business.