search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
www.bifa.org


Policy & Compliance


BIFAlink


GDPR means you must document what you do


Any investigation carried out by the Information Commissioner’s Office will begin with a review of your documentation


One of the less talked about areas of the General Data Protection Regulation (GDPR) is the need to keep documented records of your data processing activities that relate to data protection.


The Information Commissioner’s Office (ICO) has indicated that in any investigation its first request will always be to review your documentation. If you have no records relating to data protection, it will take a dim view and assume you have been cavalier in handling people’s personal data. The documentation required to prove you have given thought to the issues and have put measures in place is not onerous or complex.


Privacy policy


This is a document that outlines the approach taken by the whole business in regard to data protection across all areas of the business where people’s personal data is held and processed by the business. This does not have to be a large cumbersome document as it describes the overall policy.


July 2018


You should consider having separate privacy statements in place to cover outward facing parts of the business, for example your website. This would describe your policy in the context of data you collect or use on the website. You will also need to consider detailed privacy notices at the point where data is collected or used – eg a sign-up form for your mailing list. The need for privacy notices at the point you collect data is a specific requirement under GDPR.


Data processing record (DPR) It is a legal requirement under GDPR that you have documented records covering all areas where you process personal data. This is not a record of each time you process data, but an overall description of what you are doing, the legal basis for doing it, whose data is being used, what type of data, how long you will keep the data, contact details within your organisation, whether third parties are involved and security measures to protect the data. You should have one for each data process you undertake.


Data protection impact assessment (DPIA) Alongside each DPR you may need to document a risk assessment to the privacy of the people whose data you are processing. It is not an absolute requirement of the GDPR that you carry out a DPIA except in specific situations. If you process data listed under the special categories, then you must. If you are processing data relating to children or carrying out large scale or regular processing, then again you must. It is probably sensible to document a risk assessment for all but trivial data, as this demonstrates that you have considered the issues.


Retention schedule


GDPR expects that you will have specific rules about how long you keep data and the steps you take to delete data you no longer use. This is called Retention and should not be ignored. You may need to keep some data for statutory purposes for up to six or seven years. However, this should be disposed of on completion of the period. Data such as personnel records will have a shorter lifetime after employment ends and unsuccessful job applicants should be disposed of immediately. For this, a central document that lists all the data you deal with and identifies the lifetime of the data is required. This must describe the process for deleting, archiving, or disposal of the data, and include a record of regular auditing. As always, we present the above as a discussion and it should not be taken as guidance in the absence of your own legal advice.


Thanks to 101 Smart Ltd 9


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20