Scattergoods Data Protection Compliance Portal

This web page enables collaboration and information sharing for the purposes of ensuring compliance with the data protection legislation.

The text below contains links to the current drafts of these types of documents:

Data Audit (‘Information Asset Registry’)
Policies
Privacy Notices
Processor Compliance
Process Documents
Forms
Guidance

I have drafted these documents with what I know about Scattergoods’ data processing in mind. However, you know what is viable and suitable better than I do, and most of what has been provided can – and should – be amended to best suit Scattergoods’ business.

All answers, queries, comments or suggestions should be sent to me at davidcharity@gdparmour.co.uk

Key Personnel

Those with responsibilities for data protection compliance are below.

These individuals have responsibility for data protection in their respective areas specifically identified in their job descriptions. For suggested job description elements follow these links:

Data Security Officer Job Description Elements

Manager Job Description Elements

Data Supervisors – Karen Elson & Darren O’Leary

Responsibility for compliance oversight, advice and monitoring and fulfilling data rights requests.

Karen is also responsible for the personal data processing in the company’s finance and payroll functions.

Very Significant Others

Claire Skelsey – Commercial Manager

Chief Executive Officer – Andrew Vicos

Overall responsibility for compliance and for allocating data protection duties and responsibilities to departmental heads.

IT Supplier – Susie Black

Responsibility for data security.

HR Supplier – Maria Cruse

Responsibility for compliance in the company’s processing of personal data in its HR function.

Compliance Areas

Accountability

This requires us to have records of our processing activities (Information Asset Registry), to have adopted and published suitable policies, to have allocated responsibilities for data protection to suitable job holders and to have ensured our staff have been trained in data protection basics.

It also requires us to ensure that those who process personal data for us have the relevant data protection clauses in their supply contracts.

When we have completed the review process a tool to assess our compliance with the duty of accountability is linked >>here<<

Transparency

This requires us to provide all categories of data subjects for whom we process personal data with information about our processing activities.

When we obtain personal data from the data subject, we must provide this information when we collect the data. When we obtain it from a third party we must provide this information within 1 month.

We have complied with the duty of transparency by publishing suitable privacy notices on our website (i.e. a ‘data privacy page’ or similar) and providing a link to this page whenever we collect personal data. We also include this link in the text below email signatures.

Subject Rights

We are required to respond to data subjects’ request in relation to their rights within 30 days (in the majority of cases). These are the right to: (i) access, (ii) be informed of processing activities, (iii) rectification of inaccurate or incomplete data, (iv) erasure, (v) restriction of processing, (vi) portability and (vii) object to processing.

We have complied with this by adopting: a suitable policy regarding data subjects’ rights, data rights log, data access forms and template letters and by training.

Security

This requires us to adopt suitable security measures to avoid or minimise the risk of a data breach. The extent to which we are obligated to deploy security will depend on the level of risk of a breach and to data subjects’ rights are freedoms in the case of a data breach, and also the sensitivity of the data we process.

We have complied with this by adopting: suitable policies regarding data security and data breaches, by undertaking data protection impact assessments wherever the risk associated with processing is high, and by training.

Information Asset Registry (IAR)

The 2019 version of the IAR is available to view or download >>here<<

If you need to add a new data asset please follow the link >>here<< and complete the form.

Wherever the legal basis for processing is ‘legitimate interest’ we have assessed our interest in processing against the data subjects’ rights and freedoms. The legitimate interest assessments are linked >>here<<

Privacy Standard (aka Compliance Statement)

As part of our duty of accountability we explain our approach to all aspects of compliance in a single policy document.

This is an outward facing document that is available to those external to the business. When we are asked by business partners or customers or other external stakeholders to show our compliance we will provide this document.

The document is available >>here<< as a pdf file.

Data Subject Rights

This is a new policy and supporting documents and requires review.

Our approach to fulfilling data subject’s rights requests is set out in our Subject Rights Policy. This is an internally facing document designed to assist those who have responsibility for responding to data subjects’ rights requests.

The draft document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.

The policy is supported by template letters and a data subject rights request form. These documents are available to view >>here<< as a pdf file and for download >>here<< as a Microsoft word download.

When a data subjects make an access request we use a suitable internal form. Our form can be viewed >>here<< as a pdf file and is available >>here<< as a Microsoft word download.

We keep a log of our responses to data subjects rights requests. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<

For data subject access requests we have guidance for those who will handle requests.

Basic guidance is linked >>here<<

For more detailed guidance see the link >>here<<

Data Security

This policy document is available >>here<< as a pdf file.

This is an internally facing document designed to provide guidance to all staff.

Our IAR makes an initial assessment of processing risks for each data asset; if the risk is assessed as high (i.e. 20 or more) we will undertake a Data Protection Impact Assessment. Our form for undertaking this assessment is available for download >>here<<

Data Breach

As a data controller we are under very stringent reporting requirements when we became aware of a data breach or ‘near miss’. We have only 72 hours to investigate and notify the ICO. In more serious cases we may also have to notify the data subjects who are affected. This is the area that carries the most significant risk for the business.

We have implemented a policy and procedures to ensure we can fulfil our duties within the requisite timescale.

The document was updated in October 2019 and is available to view >>here<< as a pdf file and <<here>> to download as a Microsoft word download.

This is an internally facing document designed to provide a framework for staff to report suspected breaches or near misses and to ensure due process is followed when we investigate and consider whether or not we have a duty to report a breach.

The policy document links both the ICO’s guidance and the European Data Protection Board’s guidance. It also links the ICO’s security breach notification form.

A data breach reporting form designed to capture all of the elements in the Data Breach Policy is available >>here<<

We keep a log of data breaches (no matter how small) and near misses. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<

Retention

Data protection compliance under the GDPR means complying with the principle of data minimisation; we will do this in two ways.

By keeping our audit of data processing activities (IAR) under careful review we will be able to identify personal data categories that we no longer need, or can justify processing.

We must also set and abide by suitable retention periods for the personal data we process. Our approach to retention periods is set out in a suitable policy document.

The document was updated in October 2019 and is available to view >>here<< as a pdf file and <<here>> to download as a Microsoft word download.

The retention policy has been dispensed with since Darren & Karen advised that the majority of retention periods should be moved to 6 years plus 1 year buffer. This information is now contained in the relevant privacy notices.

This is an internally and externally facing document to fulfil our duty of transparency to those whose data we process.

Processor Compliance

Wherever we share personal data with a contractor, supplier or other business partners we must ensure that GDPR article 28 terms are either incorporated into the terms of business, or that they have been agreed separately.

We use a processor compliance form to verify compliance. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.

If a processor’s terms do not include the article 28 terms we remedy this by sending the addendum to contract terms and asking that these be signed off or incorporated into the main contract. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.

If the processor is contracting on our standard terms we ensure these incorporate the article 28 terms.

We also demonstrate that processing undertaken on our behalf is lawful by recording external processors in the audit (IAR) and noting where we are satisfied that the article 28 terms are incorporated into the relevant terms of business.

Privacy Notices

We have privacy notices for all categories of data subject on our website >>here<<.

New draft privacy notices following the 2019 review and refresh are linked below and require review:

*Please note that no personal data for Applicants is recorded in the IAR so this privacy notice has been drafted on the basis of reasonable expectation.

**Please note that we need Susie Black’s instructions about retention periods and her confirmation that our records of the types of personal data collected in the website database is accurate.

The privacy page on our website carries links to all privacy notices and we provide a link to this wherever we collect personal data (e.g. application forms, order forms, promotional materials, online forms, etc).
[We want to say this]

We also use this link in place of long and inconvenient scripts used where we collect personal data in sales and marketing telephone calls and on all of our forms that collect personal data.

The text for this will be along these lines:

‘Please refer to the Scattergoods Data Privacy webpage for details of our processing of your personal data and your rights as a data subject – https://www.scattergoods.co.uk/policy-statements‘