This web page is specifically to enable collaboration and information sharing for the purposes of ensuring compliance with the data protection legislation. It is my aim to make a very large and cumbersome piece of work easy to access and understand.
The text below contains links to the current drafts of these types of documents:
- Data Audit (‘Information Asset Registry’)
- Privacy Notices
- Processor Compliance
- Process Documents
I have drafted these documents with what I know about NAME’s data processing in mind. However, you know what is viable and suitable better than I do, and most of what has been provided can – and should – be amended to best suit NAME’s business. Where you see red text the words used are being recognised as optional.
All answers, queries, comments or suggestions should be sent to me at email@example.com
Those with responsibilities for data protection compliance are below.
These individuals should have responsibility for data protection in their respective areas specifically identified in their job descriptions. For suggested job description elements follow these links:
Chief Executive Officer – NAME
Overall responsibility for compliance and for allocating data protection duties and responsibilities to departmental heads.
Data Protection Officer – NAME
Responsibility for compliance oversight, advice and monitoring. Also responsible for the personal data processing in the company’s finance and payroll functions.
Head of IT – NAME
Responsibility for data security and fulfilling data rights requests by those internal to the business.
Head of Legal and Customer Relations – NAME
Responsibility for compliance in the company’s legal and customer complaints functions, and data subject rights requests by those external to the business.
Head of Sales and Marketing – NAME
Responsibility for the company’s personal data processing in its marketing, digital marketing, website and call centre.
Interim Head of HR – NAME
Responsibility for compliance in the company’s processing of personal data in its HR function.
Head of Operations – NAME
Responsibility for compliance in the company’s processing of personal data in its operations.
Head of Purchasing – NAME
Responsible for the company’s processing of personal data in its procurement activities and for data processor compliance in relation to suppliers.
Very Significant Others
This requires us to have records of our processing activities (Information Asset Registry), to have adopted and published suitablepolicies, to have allocated responsibilities for data protection to suitable job holders and to have ensured our staff have been trained in data protection basics.
It also requires us to ensure that those who process personal data for us have the relevant data protection clauses in the relevant supply contracts.
When we have completed the process a tool to assess our compliance with the duty of accountability is linked >>here<<
This requires us to provide all categories of data subjects for whom we process personal data with information about our processing activities.
When we obtain personal data from the data subject, we must provide this information when we collect the data. When we obtain it from a third party we must provide this information within 1 month.
We will comply with the duty of transparency by publishing suitable privacy notices on our website (i.e. a ‘data privacy page’ or similar) and providing a link to this page whenever we collect personal data. We can also include this link in the text below email signatures.
We are required to respond to data subjects’ request in relation to their rights within 30 days (in the majority of cases). These are the right to: (i) access, (ii) be informed of processing activities, (iii) rectification of inaccurate or incomplete data, (iv) erasure, (v) restriction of processing, (vi) portability and (vii) object to processing.
We will comply with this by adopting: a suitable policy regarding data subjects’ rights, data rights log, data access forms and template letters and by training.
This requires us to adopt suitable security measures to avoid or minimise the risk of a data breach. The extent to which we are obligated to deploy security will depend on the level of risk of a breach and to data subjects’ rights are freedoms in the case of a data breach, and also the sensitivity of the data we process.
We will comply with this by adopting: suitable policies regarding data security and data breaches, by undertaking data protection impact assessments wherever the risk associated with processing is high, and by training.
Information Asset Registry (IAR)
The current draft of the IAR is linked >>here<< and you can download the pdf file for ease or reference.
Please review the relevant pages below and (i) provide any important missing information, (ii) indicate if a new data asset should be added, and (iii) respond to any queries in ‘notes’ or ‘advice notes’ at the bottom, and (iv) provide missing information where you see ‘TBA’ or otherwise.
IDENTIFY KEY PERSONNEL AND PAGE NUMBERS IN IAR FOR THEIR REVIEW
If you wish to add a new data asset in your area, please follow the link >>here<< and complete the form.
Privacy Standard (aka Compliance Statement)
As part of our duty of accountability we explain our approach to all aspects of compliance in a single policy document.
This is an outward facing document that will be available to those external to the business. When we are asked by business partners or customers or other external stakeholders to show our compliance we will provide this document.
My draft of the document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
Data Subject Rights
Our approach to fulfilling data subject’s rights requests will be set out in the Subject Rights Policy. This is an internally facing document designed to assist those who have responsibility for responding to data subjects’ rights requests.
My draft of the document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
My suggestion is that the policy is supported by template letters and a data subject rights request form. My drafts for these are available >>here<< as a pdf file.
When a data subjects make an access request we should use a suitable internal form. My draft of a suitable form is available >>here<< as a pdf file and >>here<< as a Microsoft word document.
We must keep a log of our responses to data subjects rights requests. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<
Finally for data subject access requests I have written some guidance for those who will handle requests.
Basic guidance is linked >>here<<
For more detailed guidance see the link >>here<<
We already have an IT User Policy that contains some important information about the use of our IT systems. A copy of this policy is available >>here<<
This is an internally facing document designed to provide guidance to all staff.
We should supplement this with a Data Security Policy. My draft of the document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
As a data controller we are under very stringent reporting requirements when we became aware of a data breach or ‘near miss’. We have only 72 hours to investigate and notify the ICO. In more serious cases we may also have to notify the data subjects who are affected. This is the area that carries the most significant risk for the business.
We must implement a policy and procedures to ensure we can fulfil our duties within the requisite timescale. My draft of the document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
This is an internally facing document designed to provide a framework for staff to report suspected breaches or near misses and to ensure due process is followed when we investigate and consider whether or not we have a duty to report a breach.
We must keep a log of data breaches (no matter how small) and near misses. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<
A data breach reporting form designed to capture all of the elements in the Data Breach Policy is available >>here<<
Data protection compliance under the GDPR means complying with the principle of data minimisation; we will do this in two ways.
By keeping our audit of data processing activities (IAR) under careful review we will be able to identify personal data categories that we no longer need, or can justify processing.
We must also set and abide by suitable retention periods for the personal data we process. Our approach to retention periods can be set out in a suitable policy document. My draft of the document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
This is an internally and externally facing document to fulfil our duty of transparency to those whose data we process.
The retention schedule that accompanies the policy will be completed when we have finalised the data audit (IAR).
Wherever we share personal data with a contractor, supplier or other business partner we must ensure that GDPR article 28 terms are either incorporated into the terms of business, or that they have been agreed separately.
A processor compliance template is available >>here<< to assess compliance.
If a processor’s terms do not include the article 28 terms we can remedy this by sending the addendum to contract terms linked >>here<< and asking that these be signed off or incorporated into the main contract.
If the processor is contracting on our standard terms we must ensure these incorporate the article 28 terms.
We can also demonstrate that processing undertaken on our behalf is lawful by recording external processors in the audit (IAR) and noting where we are satisfied that the article 28 terms are incorporated into the relevant terms of business.
We have a privacy notice for web users on our website >>here<<
We should add privacy notices for all other categories of data subject whose personal data we process:
- Employees and workers
- Applicants for employment
- Customers who do not order via the website
- Suppliers and contractors
I will provide these when the audit (IAR) is complete.
We can then amend the privacy page on the website to carry links to all privacy notices and provide a link to this wherever we collect personal data (e.g. application forms, order forms, promotional materials, online forms, etc).
We can also use this wording in place of long and inconvenient scripts used where we collect personal data in sales and marketing telephone calls.
The text for this can be something along these lines:
‘Please refer to the NAME Data Privacy webpage for details of our processing of your personal data and your rights as a data subject – www.NAME.co.uk/privacy’
Additional guidance on data protection compliance can be found on these links: