Let’s say we’ve completed all our GDPR documentation, policies, and our contracts, processes, etc. are GDPR-compliant, what happens next? Are we supposed to send it to the ICO/SA (we’re in the UK) or do we hold onto it until requested by the SA?
Filling in the documentation is just one of your tasks of achieving EU GDPR compliance, after this step you should focus on making sure that all the documents are backed-up by the proper processes in order to ensure that the policies and procedures are followed and integrated into your day to day business activities.
For example, you should also consider the following tasks:
- test some of these processes such as the one set up by the “Data Breach Response and Notification Procedure" https://advisera.com/eugdpracademy/documentation/data-breach-response-and-notification-procedure/ You need to see if all the staff involved knows what to do from identifying a data breach until sending the appropriate notifications;
- maintaining the “Inventory of processing activities” https://advise ra.com/eugdpracademy/documentation/inventory-of-processing-activities/which should be up to date;
- perform Due Diligence on some of your most important suppliers;
- build up an awareness EU GDPR program to train your relevant staff;
EU GDPR compliance is not a “one shot” exercise but rather a continuous process to ensure that personal data is protected in any instance, regardless of the changes in your business activities.
And to answer your second question, there is no need for you to proactively go to the ICO to present your EU GDPR framework.”