As year two dawns, here are some items to put on your to-do list:
1. If your compliance programme isn’t working, fix it
Inevitably, in the rush to prepare for GDPR, too often we saw compliance programmes put in place quickly and with little opportunity to benchmark against what other companies were doing. A year in is a good time to take stock, reflect on what works and what can be improved. For some companies, this actually means doing less better – focused on the real risks. For others, this may mean a shift in governance to ensure that processes are embedded through the business rather than just left in a compliance function. For still others, it means turning a pile of policy documents into something more tangible and operational. Compliance programmes should naturally be organic and evolve over time so there is little point lasting another year with something that simply isn’t working.
2. Get ready for the children’s code
The ICO is currently finalising its children’s code of practice, but the draft is out and will come as a surprise to quite a few companies, particularly those that thought they had carefully scoped their offerings to ringfence those under 13 but then discover that they have a lot to do now even if they just occasionally have 17-year-olds interact with their services. We recommend familiarising yourself with the code now.