This web page is specifically to enable collaboration and information sharing for the purposes of ensuring compliance with the data protection legislation.
The text below contains links to the current drafts of these types of documents:
- Data Audit (‘Information Asset Registry’)
- Policies
- Privacy Notices
- Processor Compliance
- Process Documents
- Forms
- Guidance
I have drafted these documents with what I know about NAME’s data processing in mind. However, you know what is viable and suitable better than I do, and most of what has been provided can – and should – be amended to best suit NAME’s business.
All answers, queries, comments or suggestions should be sent to me at davidcharity@gdparmour.co.uk
Key Personnel
Those with responsibilities for data protection compliance are below.
These individuals have responsibility for data protection in their respective areas specifically identified in their job descriptions. For suggested job description elements follow these links:
Data Security Officer Job Description Elements
Manager Job Description Elements
Chief Executive Officer – NAME
Overall responsibility for compliance and for allocating data protection duties and responsibilities to departmental heads.
Data Protection Officers – NAME
Responsibility for compliance oversight, advice and monitoring and fulfilling data rights requests.
NAME is also responsible for the personal data processing in the company’s finance and payroll functions.
IT Supplier – NAME
Responsibility for data security.
HR Supplier – NAME
Responsibility for compliance in the company’s processing of personal data in its HR function.
Very Significant Others
NAME
Compliance Areas
Accountability
This requires us to have records of our processing activities (Information Asset Registry), to have adopted and published suitable policies, to have allocated responsibilities for data protection to suitable job holders and to have ensured our staff have been trained in data protection basics.
It also requires us to ensure that those who process personal data for us have the relevant data protection clauses in their supply contracts.
When we have completed the review process a tool to assess our compliance with the duty of accountability is linked >>here<<
Transparency
This requires us to provide all categories of data subjects for whom we process personal data with information about our processing activities.
When we obtain personal data from the data subject, we must provide this information when we collect the data. When we obtain it from a third party we must provide this information within 1 month.
We have complied with the duty of transparency by publishing suitable privacy notices on our website (i.e. a ‘data privacy page’ or similar) and providing a link to this page whenever we collect personal data. We also include this link in the text below email signatures.
Subject Rights
We are required to respond to data subjects’ request in relation to their rights within 30 days (in the majority of cases). These are the right to: (i) access, (ii) be informed of processing activities, (iii) rectification of inaccurate or incomplete data, (iv) erasure, (v) restriction of processing, (vi) portability and (vii) object to processing.
We have complied with this by adopting: a suitable policy regarding data subjects’ rights, data rights log, data access forms and template letters and by training.
Security
This requires us to adopt suitable security measures to avoid or minimise the risk of a data breach. The extent to which we are obligated to deploy security will depend on the level of risk of a breach and to data subjects’ rights are freedoms in the case of a data breach, and also the sensitivity of the data we process.
We have complied with this by adopting: suitable policies regarding data security and data breaches, by undertaking data protection impact assessments wherever the risk associated with processing is high, and by training.
Information Asset Registry (IAR)
The current draft of the IAR is linked >>here<< and you can download the pdf file for ease or reference.
Please review the relevant pages below and (i) provide any important missing information, (ii) indicate if a new data asset should be added, and (iii) respond to any queries in ‘notes’ or ‘advice notes’ at the bottom, and (iv) provide missing information where you see ‘TBA’ or otherwise.
If you wish to add a new data asset in your area, please follow the link >>here<< and complete the form.
Wherever the legal basis for processing is ‘legitimate interest’ we have assessed our interest in processing against the data subjects’ rights and freedoms. The legitimate interest assessments are linked >>here<<
Privacy Standard (aka Compliance Statement)
As part of our duty of accountability we explain our approach to all aspects of compliance in a single policy document.
This is an outward facing document that is available to those external to the business. When we are asked by business partners or customers or other external stakeholders to show our compliance we will provide this document.
The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download. [DMC: links to be added]
[Please let me have the finalised version of this policy as it was published in NAME style]
Data Subject Rights
Our approach to fulfilling data subject’s rights requests is set out in the Subject Rights Policy. This is an internally facing document designed to assist those who have responsibility for responding to data subjects’ rights requests.
The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download. [DMC: links to be added]
[Please let me have the finalised version of this policy as it was published in NAME style]
The policy is supported by template letters and a data subject rights request form. These documents are available >>here<< as a pdf file and >>here<< as a Microsoft word download.
When a data subjects make an access request we use a suitable internal form. Our form can be viewed >>here<< as a pdf file and is available >>here<< as a Microsoft word download.
We keep a log of our responses to data subjects rights requests. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<
For data subject access requests we have guidance for those who will handle requests.
Basic guidance is linked >>here<<
For more detailed guidance see the link >>here<<
Data Security
This policy document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
This is an internally facing document designed to provide guidance to all staff.
Our IAR makes an initial assessment of processing risks for each data asset; if the risk is assessed as high (i.e. 20 or more) we will undertake a Data Protection Impact Assessment. A suitable form for undertaking this assessment is available >>here<<
Data Breach
As a data controller we are under very stringent reporting requirements when we became aware of a data breach or ‘near miss’. We have only 72 hours to investigate and notify the ICO. In more serious cases we may also have to notify the data subjects who are affected. This is the area that carries the most significant risk for the business.
We have implemented a policy and procedures to ensure we can fulfil our duties within the requisite timescale. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
[AV: please let me have the finalised version of this policy as it was published in Scattergoods style]
This is an internally facing document designed to provide a framework for staff to report suspected breaches or near misses and to ensure due process is followed when we investigate and consider whether or not we have a duty to report a breach.
A data breach reporting form designed to capture all of the elements in the Data Breach Policy is available >>here<<
The policy document links both the ICO’s guidance and the European Data Protection Board’s guidance. It also links the ICO’s security breach notification form.
We keep a log of data breaches (no matter how small) and near misses. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<
Retention
Data protection compliance under the GDPR means complying with the principle of data minimisation; we will do this in two ways.
By keeping our audit of data processing activities (IAR) under careful review we will be able to identify personal data categories that we no longer need, or can justify processing.
We must also set and abide by suitable retention periods for the personal data we process. Our approach to retention periods is set out in a suitable policy document. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download. [DMC: links to be added]
[please let me have the finalised version of this policy as it was published in NAME style]
This is an internally and externally facing document to fulfil our duty of transparency to those whose data we process.
The retention schedule that accompanies the policy will be updated when we have finalised the 2019 review of our data audit (IAR).
Processor Compliance
Wherever we share personal data with a contractor, supplier or other business partner we must ensure that GDPR article 28 terms are either incorporated into the terms of business, or that they have been agreed separately.
We use a processor compliance form to verify compliance. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
If a processor’s terms do not include the article 28 terms we remedy this by sending the addendum to contract terms and asking that these be signed off or incorporated into the main contract. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
If the processor is contracting on our standard terms we ensure these incorporate the article 28 terms.
We also demonstrate that processing undertaken on our behalf is lawful by recording external processors in the audit (IAR) and noting where we are satisfied that the article 28 terms are incorporated into the relevant terms of business.
Privacy Notices
We have privacy notices for all categories of data subject on our website >>here<<.
- Applicants
- Employees
- Agency Workers
- Permanent Candidates
- Web users
I will provide amended versions of these when our review of the audit (IAR) is complete.
The privacy page on our website carries links to all privacy notices and we provide a link to this wherever we collect personal data (e.g. application forms, order forms, promotional materials, online forms, etc).
We also use this wording in place of long and inconvenient scripts used where we collect personal data in sales and marketing telephone calls.
The text for this will be along these lines:
‘Please refer to the NAME Data Privacy webpage for details of our processing of your personal data and your rights as a data subject – www.scattergoods.co.uk/privacy’
Additional Guidance
Additional guidance on data protection compliance can be found on these links:
Compliance essentials speed read