Goodness, it feels like the GDPR has been around forever!
Darn, it’s less than two weeks before I have to be GDPR compliant!
Pah – the GDPR is a lot of work!
Ready? Am I really ready?
I think we can all admit that we’ve probably thought these things (or worse!) when it comes to the General Data Protection Regulation (GDPR).
What information do I need to provide in my policy?
Under the GDPR, which is geared towards transparency and fairness to individuals, organisations have to provide users with extensive information about the processing of their personal data compared to the current requirements under the Data Protection Act 1998. The GDPR (articles 13 and 14) explicitly requires data controllers to inform data subjects of the following information:
- the data controller’s identity and contact details;
- details of the data protection officer, if the organisation is required to have one;
- the purpose and legal basis for processing;
- if the legal basis for processing is legitimate interest, what that interest is;
- recipients, or categories of recipients of the personal data;
- whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data;
- how long the personal data will be retained and if no time frame can be provided how the retention period will be calculated;
- the data subject rights (access to, rectification, erasure, restriction, data portability, withdraw consent, complaints);
- if there is a statutory or contractual requirement for the data subject to provide personal data, what the consequences are for failing to do so;
- if any automated decision making, for example, profiling, is being carried out and information about such automated decision making; and
- the data controller’s source of the personal data, if it has not been provided directly to the data controller by the data subject.
As mentioned, your data flow audit is the ideal starting point. You should collate your data into the following categories which you could use as headings within your policy:
- what personal data is collected e.g. name, addresses, email addresses, financial information, payment details, photographs, dietary requirements, medical records etc.
- how personal data is collected. Does information come from the customer directly, via a third party or through technical means for example cookies?
- why such personal data is collected and the legal basis for processing such data. Article 6 of the GDPR sets out the legal basis for processing personal data and article 9 of the GDPR sets out the legal basis for processing ‘special category’ personal data which includes race, religion and health amongst others. Has the Customer given their consent or do you require the information as part of providing your services?
- when is personal data shared with third parties? For example you may use your accountant for your payroll or an IT company to provide network and computer assistance;
- whether data is transferred outside of the European Economic Area (EEA). Do your travelling sales representatives log onto your IT network remotely from outside the EEA? In which country is your IT data hosted?; and
- how long personal data is kept for and the reasons for keeping the information for that period.
Is there anything else I should include?
- access personal data held about them and have it deleted and/or corrected;
- object to processing (for example, direct marketing);
- data portability (i.e. have it transferred to another entity);
- complain about processing carried out by the data controller; and
- object to automated decision making.
- be easily accessible and displayed prominently. If the link to your policy involves scrolling down through a large amount of text then arguably this is not “accessible”;
- use language that is clear, straightforward and free from legal jargon;
- be formatted in a way that it can be printed; and
- provide an accurate translation if the organisation targets data subjects in non-English speaking countries.
- If your policy is quite lengthy then consider a two tiered approach where a short form policy with a link to the full version is used. The short form should contain the main information such as the identity of the data controller, how data is collected, the legal basis for processing and the individual’s rights. The full version can be more detailed and contain tools and/or links to help individuals navigate through the document.
How can we help?
When you submit this form an email will be sent to the relevant department who will contact you within 48 hours. If you require urgent advice please call 01202 525333.