Develop policies & procedures
The documentation of processing activities is a legal requirement under the GDPR (General Data Protection Regulation). Denis Croombs Ltd has Data Protection professionals who can assist you with developing your policies and procedures, that suit your organisation and keep you compliant with the law.
Documenting your processing activities can also support good data governance, and help you to demonstrate your compliance with other aspects of the GDPR. Defining what exactly must be done in the event of someone requesting data you hold, or in the event of a data breach means your team can hit the ground running. Everyone knows exactly what must be done and who is responsible for doing it. In addition, documenting your activities as it related to data processing will show your customers, employees and others that you take Data Protection seriously.
We can assist you in developing these policies and procedures ensure that they are closely aligned with your business. While you may certainly download a standard template, a more thorough review of your business’ data processing will identify risks and issues and can better prepare your organisation for compliance with the law.
There are a number of documents that each organisation, regardless of size, must have on hand in order to be compliant with the GDPR. They are;
Personal Data Protection Policy (Article 24) This policy states how your organisation protects personal data. It explains the requirements of the GDPR to your employees and your organisation’s commitment to compliance.
Privacy Notice (Articles 12, 13, and 14) A privacy notice is a public statement of how your organisation applies (and complies with) the GDPR’s data processing principles.
Employee Privacy Notice (Articles 12, 13 and 14) It is core GDPR principle for employers to process HR-related data fairly and transparently. An employee privacy notice explains to an individual how a data controller (in this case, your organisation) processes an employee’s personal data.
Data Retention Policy (Articles 5, 13, 17, and 30) A data retention (or records retention) policy outlines your organisation’s protocol for retaining information. It is a requirment that your organisation only retains data for as long as it’s needed. Your organisation must determine how long the data must be retained and also how to safely dispose that data when no longer needed. Included in this policy should be a Data Retention Schedule – defining how long each data item will be retained.
Supplier Data Processing Agreement (Articles 28, 32, and 82) This is an agreement you have with any organisation that processes personal data on your behalf. This is the most over-looked aspect of Data Protection in our experience. A contract that identifies what is permitted to be processed, for how long and what are the requirements for communication in the event of a breach are just some of the items that should be identified prior to allowing the supplier to process your data.
Data Breach Response and Notification Procedure (Articles 4, 33, and 34) You must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”. There are time limits for the notification to both the supervisory authority as well as the data subject. This is why a comprehensive procedure that works for your organisation is essential.
Data Breach Register (Article 33) Documenting data breaches as well as near misses is crucial to identifying risks in your data processing. A data breach is a serious incident, but can also be a great learning experience for your organisation. Documenting all events will go a long way to demonstrating your commitment to data protection .
There are other items that may be necessary – especially if you process special category data (this included health data).
To get started developing the policies and procedures you are required to have, get in touch.