Data protection – the essentials
There are lots of aspects to General Data Protection Regulation (GDPR) compliance. Our Hub sets out a lot of guidance on different areas of your business which may be affected, and our five-step approach to compliance provides a simple framework for your GDPR Project, but what if you’re short on time and resources? Well, we’ve set out here some key areas of compliance and how we can help.
Are you secure?
Hopefully you’re already keeping your data secure, and there aren’t specific changes in the standards of security you’ll need under the GDPR, but the potential consequences of a data breach are more significant, and so you must be comfortable with all aspects of your data security (not just having a firewall and long passwords, but securing your overall business and processes). We aren’t technical security experts, and we don’t pretend to be, but we can put you in touch with consultants who can help you with your security. For more information on security measures, see our Hub article.
Are you aware?
Not everyone in your business needs to know the GDPR back-to-front, but you should make sure you have someone who broadly understands the requirements, and who takes ownership of data protection responsibilities in the organisation (a “Data Compliance Officer” or “Data Champion”). Other personnel may only need to know a few “golden rules” depending on their role. We can engage with the individual or team responsible for data protection in your business, to upskill and advise them. For more information on internal compliance, see our Hub section.
For common questions on the GDPR, see our FAQs.
Do you have the right documents?
The GDPR has some strict requirements about what documentation you need to have in place. We’ve set these out below. Other than the “Data Controller Register” these are all mandatory regardless of how big or small your business is.
If you use a service provider that stores or uses personal data on your behalf, they may well (depending on the level of control they have over that data) be a “processor” (see our Hub article). Where you appoint a processor, GDPR requires you to have a written contract with that processor, which must include details of the processing and some specific obligations on that processor (in particular, the processor must only process personal data on your documented instructions – see our Hub article). This doesn’t just apply to contracts agreed after 25 May 2018, so these details and obligations will need to be added to your existing contracts. The GDPR requirements here are quite specific, so it’s very unlikely that existing contracts will be compliant.
Larger service providers may already be updating agreements, but small service providers are less likely to be dealing with this proactively. We can provide a template data processing addendum to work alongside existing contracts that includes the relevant obligations and protects your position.
The GDPR requires a privacy notice to be supplied to anyone whose personal data you hold (subject to some exceptions). Existing privacy notices are very unlikely to already be compliant with the GDPR’s requirements (which are much more detailed, see our Hub article).
It’s worth remembering that employees are data subjects too, and you will need a privacy notice to set out how you use their data. We anticipate businesses needing a minimum of two privacy notices (an internal one for personnel, and an external one for everyone else). We can provide internal and external privacy notices template documents and assistance in amending them to reflect your business.
The GDPR also requires you to bring that notice to the attention of the relevant individuals. We can advise on wording and processes to achieve this.
Special Category Data Appropriate Policy Document
The Data Protection Act 2018 requires that, if you process special category data (or criminal records data) to carry out your obligations under employment, social security or social protection law, or a collective agreement, or for reasons of substantial public interest, you will need an appropriate policy document setting out how you comply with the GDPR’s principles and your retention and erasure policies.
Data Controller Register
The GDPR requires organisations to keep a record of their processing activities (and a general description of your security measures). While this obligation is reduced for organisations with fewer than 250 employees (see our Hub article) it’s likely that any size organisation will have to keep at least a partial record. We would always recommend that organisations keep a full record as a matter of best practice, and to assist their other compliance activities. We can provide a template register for you to complete, and mapping questionnaires to help you through the process of filling it in.
Data Breach Register
GDPR requires organisations to document any data breaches they suffer, the effects of that breach, and the remedial action they have taken. We can provide a template register for you to maintain, as well as advice and assistance in dealing with any breach, or putting procedures or policies in place to plan for and mitigate them.
We have prepared a GDPR Toolkit which contains questionnaires, customisable template documents and related guidance and we are offering half day and full day workshops to help our clients get up to speed with the GDPR – if you’d like more information on the toolkit or workshops you can contact us using the details on the right.
The toolkit includes the following documentation:
GDPR mapping questions
- A list of mapping questions to help you logically proceed through a mapping process
Customisable template documents
- Data Controller Processing Register (for compliance with Article 30)
- External Privacy Notice (for people outside your organisation)
- Internal Privacy Notice (for employees, contractors and workers, includes template Appropriate Policy Document for use of special category data to comply with employment law)
- Template Internal Memo to Employees (to update employees, contractors and workers)
- Data Processing Agreement (for use with suppliers to comply with Article 28)
- Legitimate Interests Assessment (to record your basis for carrying out certain activities)
- Subject Access Request Responses (initial and detailed responses)
- Supplier Questionnaire (to assist with supplier due diligence)
- Data Protection Policy (an internal document setting out how you achieve GDPR compliance)
- Data Breach Register (to record any personal data breaches)
- Data Protection Impact Assessments (when they are required and what they should set out)
- Data Protection Officers (when they are required and what their requirements are)
- Retention Policy (factors to consider in drafting a retention policy)
- Responding to Subject Access Requests (steps to take in responding to requests)
- Special Category Data (identifying special category data and ensuring your use of it is compliant)
- Customer Databases and marketing (how to approach existing databases and future marketing