14 May 2018
Goodness it feels like the GDPR has been around forever!
Darn, it’s less than two weeks before I have to be GDPR compliant!
Pah - the GDPR is a lot of work!
Ready? Am I really ready?
What information do I need to provide in my policy?
Under the GDPR, which is geared towards transparency and fairness to individuals, organisations have to provide individuals with extensive information about the processing of their personal data compared to the current requirements under the Data Protection Act 1998. The GDPR (articles 13 and 14) explicitly requires data controllers to inform data subjects of the following:the data controller’s identity and contact details;details of the data protection officer, if the organisation is required to have one;the purpose and legal basis for processing;if the legal basis for processing is legitimate interest, what that interest is;recipients, or categories of recipients of the personal data;whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data;how long the personal data will be retained and if no time frame can be provided how the retention period will be calculated;the data subject rights (access to, rectification, erasure, restriction, data portability, withdraw consent, complaints);if there is a statutory or contractual requirement for the data subject to provide personal data, what the consequences are for failing to do so;if any automated decision making, for example, profiling, is being carried out and information about such automated decision making; andthe data controller’s source of the personal data, if it has not been provided directly to the data controller by the data subject.
Where do I start?
As mentioned, your data flow audit is the ideal starting point. You should then collate your data into the following categories which you could use as headings within your policy: what personal data is collected e.g. name, addresses, email addresses, financial information, payment details, photographs, dietary requirements, medical records etc.how personal data is collected. Does information come from the customer directly, via a third party or through technical means for example cookies? why such personal data is collected and the legal basis for processing such data. Article 6 of the GDPR sets out the legal basis for processing personal data and article 9 of the GDPR sets out the legal basis for processing ‘special category’ personal data which includes race, religion and health amongst others. Has the Customer given their consent or do you require the information as part of providing your services?when is personal data shared with third parties? For example you may use your accountant for your payroll or an IT company to provide network and computer assistance;whether data is transferred outside of the European Economic Area (EEA). Do your travelling sales representatives log onto your IT network remotely from outside the EEA? In which country is your IT data hosted?; andhow long personal data is kept for and the reasons for keeping the information for that period.
Is there anything else I should include?
If your policy is quite lengthy then consider a two tiered approach where a short form policy with a link to the full version is used. The short form should contain the main information such as the identity of the data controller, how data is collected, the legal basis for processing and the individual’s rights. The full version can be more detailed and contain tools and/or links to help individuals navigate through the document.
The Information Commissioners Office (ICO) is the independent authority set up to uphold data privacy and you can view the website here www.ico.org.uk
If you have any questions contact our expert GDPR solicitor Abi Sinden on 01202 057751 or send an email enquiry
Back to Blog