In order to reflect the requirements of GDPR, the Article 29 Working Party (WP29) has published the following updated guidelines on Binding Corporate Rules (BCRs):

•  Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)
• Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

The tables have been amended to meet the requirements of Article 47 GDPR, in order to clarify the necessary content of BCR's and make the distinction between what must be included in BCR's to be presented to the competent supervisory authority in the BCRs application. The amendments will also effect corresponding the principles with the Article 47 text references for controller BCR's, as well as providing further guidance on each of the requirements.

Document management solutions provide:

• structured organisation and control of documents
• enable search
• provide document security, audit, versioning
• capability to manage retention

What they are not necessarily capable of is identifying and separating personally identifiable information (PII) from everything else in each document.  

According to recent survey, 17 out of 24 regulatory authorities were unprepared for the General Data Protection Regulation (GDPR), when it was introduced on 25 May 2018.

Regardless of these statistics, organisations cannot afford to become complacent, as all businesses are at risk of data breaches. Therefore, GDPR compliance must be continually enforced.

Imagine the scenario: you hold marketing data, collected from lead generation firms, meetings, seminars etc maintained as a contacts database for marketing purposes. You have already contacted some of the people on this database, but others you have not.

In order to comply with the GDPR requirements you need to know:

How is this affected by GDPR?

Do you need contact all the earlier contacts to get consent?

Can this be deemed legitimate business use?

On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

So, the question is whether data processors need to address the Subject Access Request without the controller or not?

Data protection is a term to over-arch the mitigation against failures in protection (confidentiality), accuracy (integrity) and access (availability) that can cause an impact to data subjects and ultimately, your business. Compliance is about the governance of the GDPR, and non-technical measures to adopt and adapt.

 Risk-assessments enable the decision-makers consider everything from contractors leaving with passwords and insider-knowledge and lead to changes in technology, anonymisation of databases, deletion of old, unnecessary records, role-based access to customer data and so on. 

But what about technical support and access to customer data, particularly when required on a large-scale? What measures are available to manage, minimize and control this?

1. Manage expectations - GDPR ‘compliance’ is a matter of constant review, adoption of policies and adaption of processes. Plan, develop and sustain.

2. Continued awareness and training for staff.

3. Update your privacy policy, consent capture and recording.