This web page is specifically to enable collaboration and information sharing for the purposes of ensuring compliance with the data protection legislation. It is my aim to make a very large and cumbersome piece of work easy to access and understand.
The text below contains links to the current drafts of these types of documents:
- Data Audit (‘Information Asset Registry’)
- Privacy Notices
- Processor Compliance
- Process Documents
I have drafted these documents with what I know about Rescue Global’s data processing in mind. However, you know what is viable and suitable better than I do, and most of what has been provided can – and should – be amended to best suit Rescue Global’s operations. Where you see red text the words used are being recognised as optional.
All answers, queries, comments or suggestions should be sent to me at firstname.lastname@example.org
Those with responsibilities for data protection compliance are below.
These individuals should have responsibility for data protection in their respective areas specifically identified in their job descriptions. For suggested job description elements follow these links:
Chief Executive Officer / Data Security and Compliance Officer – David McNicol-Jones
[Note: some of the areas of responsibility that follow may be allocated to other officers / employees]
Overall responsibility for compliance and for allocating data protection duties and responsibilities to departmental heads.
Responsibility for compliance oversight, advice and monitoring. Also responsible for the personal data processing in the company’s finance and payroll functions.
Responsibility for data security and fulfilling data rights requests by those internal to the business.
Responsibility for compliance in the company’s legal and customer complaints functions, and data subject rights requests by those external to the business.
Responsibility for the company’s personal data processing in its marketing, digital marketing, website and call centre.
Responsibility for compliance in the company’s processing of personal data in its HR function.
Responsibility for compliance in the company’s processing of personal data in its operations.
Responsible for the company’s processing of personal data in its procurement activities and for data processor compliance in relation to suppliers.
This requires us to have records of our processing activities (Information Asset Registry), to have adopted and published suitablepolicies, to have allocated responsibilities for data protection to suitable job holders and to have ensured our staff have been trained in data protection basics.
It also requires us to ensure that those who process personal data for us have the relevant data protection clauses in the relevant supply contracts.
A tool to assess our compliance with the duty of accountability is linked >>here<<
This requires us to provide all categories of data subjects for whom we process personal data with information about our processing activities.
When we obtain personal data from the data subject, we must provide this information when we collect the data. When we obtain it from a third party we must provide this information within 1 month.
We will comply with the duty of transparency by publishing suitable privacy notices on our website (i.e. a ‘data privacy page’ or similar) and providing a link to this page whenever we collect personal data. We also include this link in the text below email signatures.
We are required to respond to data subjects’ request in relation to their rights within 30 days (in the majority of cases). These are the right to: (i) access, (ii) be informed of processing activities, (iii) rectification of inaccurate or incomplete data, (iv) erasure, (v) restriction of processing, (vi) portability and (vii) object to processing.
We will comply with this by adopting: a suitable policy regarding data subjects’ rights, data rights log, data access forms and template letters and by training.
This requires us to adopt suitable security measures to avoid or minimise the risk of a data breach. The extent to which we are obligated to deploy security will depend on the level of risk of a breach and to data subjects’ rights are freedoms in the case of a data breach, and also the sensitivity of the data we process.
We will comply with this by adopting: suitable policies regarding data security and data breaches, by undertaking data protection impact assessments wherever the risk associated with processing is high, and by training.
Information Asset Registry (IAR)
The current IAR is linked >>here<< and you can download the pdf file for ease or reference.
Please keep this under review and (i) provide any important missing information, (ii) indicate if a new data asset should be added, and (iii) respond to any queries in ‘notes’ or ‘advice notes’ at the bottom, and (iv) provide missing information where you see ‘TBA’ or otherwise.
If you need to add a new data asset, please follow the link >>here<< and complete the form.
Privacy Standard (aka Compliance Statement)
As part of our duty of accountability we explain our approach to all aspects of compliance in a single policy document.
This is an outward facing document that will be available to those external to the business. When we are asked by business partners or customers or other external stakeholders to show our compliance we will provide this document.
Data Subject Rights
Our approach to fulfilling data subject’s rights requests will be set out in the Subject Rights Policy. This is an internally facing document designed to assist those who have responsibility for responding to data subjects’ rights requests.
My suggestion is that the policy is supported by template letters and a data subject rights request form. My drafts for these are available >>here<< as a pdf file.
We must keep a log of our responses to data subjects rights requests. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<
Finally for data subject access requests I have written some guidance for those who will handle requests.
Basic guidance is linked >>here<<
For more detailed guidance see the link >>here<<
This is an internally facing document designed to provide guidance to all staff.
Our IAR makes an initial assessment of processing risks for each data asset; if the risk is assessed as high (i.e. 20 or more) we will undertake a Data Protection Impact Assessment.
A suitable form for undertaking this assessment is available >>here<< as a ms word download.
As a data controller we are under very stringent reporting requirements when we became aware of a data breach or ‘near miss’. We have only 72 hours to investigate and notify the ICO. In more serious cases we may also have to notify the data subjects who are affected. This is the area that carries the most significant risk for the organisation.
We must implement a policy and procedures to ensure we can fulfil our duties within the requisite timescale. My draft of the document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
This is an internally facing document designed to provide a framework for staff to report suspected breaches or near misses and to ensure due process is followed when we investigate and consider whether or not we have a duty to report a breach.
We must keep a log of data breaches (no matter how small) and near misses. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<
A data breach reporting form designed to capture all of the elements in the Data Breach Policy is available >>here<<
Data protection compliance under the GDPR means complying with the principle of data minimisation; we will do this in two ways.
By keeping our audit of data processing activities (IAR) under careful review we will be able to identify personal data categories that we no longer need, or can justify processing.
We must also set and abide by suitable retention periods for the personal data we process. Our approach to retention periods can be set out in a suitable policy document. My draft of the document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
The policy and schedule are internally and externally facing documents to fulfil our duty of transparency to those whose data we process.
Wherever we share personal data with a contractor, supplier or other business partner we must ensure that GDPR article 28 terms are either incorporated into the terms of business, or that they have been agreed separately.
A processor compliance template is available >>here<< to assess compliance.
If a processor’s terms do not include the article 28 terms we can remedy this by sending the addendum to contract terms linked >>here<< and asking that these be signed off or incorporated into the main contract.
If the processor is contracting on our standard terms we must ensure these incorporate the article 28 terms.
We also demonstrate that processing undertaken on our behalf is lawful by recording external processors in the audit (IAR) and noting where we are satisfied that the article 28 terms are incorporated into the relevant terms of business.
We have privacy notices for all categories of data subject on our website [link to be added when in place]
Links to all drafts:
- Online Users [note only this one is on the website at present]
- Employees Workers and Contractors
- At Risk Individuals
- Clients Business Partners and Suppliers
The privacy page on the website will carry links to all privacy notices and we will provide a link to the privacy page wherever we collect personal data (e.g. application forms, order forms, promotional materials, online forms, etc).
The text for this link can be:
‘Please refer to the Rescue Global’s Data Privacy webpage for details of our processing of your personal data and your rights as a data subject – www.rescueglobal.org/dataprivacy’
Additional guidance on data protection compliance can be found on these links: