Documentation, is that something new?
One of the less talked about areas of GDPR is the need to keep documented records of your data processing activities that relate to data protection. The Information Commissioners Office (ICO) has indicated that in any investigation their first request will always be to review your documentation. If you have no records relating to data protection they will take a dim view and assume you have been cavalier in handling people’s personal data. The documentation required to prove you have given thought to the issues and have put measures in place in not onerous or complex.
At this stage no-one knows how the ICO will police the GDPR when it comes into force, however, it is very likely that they will want to consider whether an incident is accidental and to some extent unforeseen or whether it is as a result of negligence or much worse, recklessness. The value of documentation is that you can demonstrate that you have considered the issues and may move you down the scale from the reckless and negligent categories in terms of sanctions against you.
You should consider having separate Privacy Statements in place to cover outward facing parts of the business, for example your website. This would describe your policy in the context of data you collect or use on the website. You will also need to consider detailed Privacy Notices at the point where data is actually collected or used, for example a sign-up form for your mailing list. The need for privacy notices at the point you collect data is a specific requirement under GDPR and the ICO has some good examples on their website.
Data Processing Record
It is in fact a legal requirement under GDPR that you have documented records covering all areas where you process personal data. This is not a record of each time you process data but an overall description of what you are doing, the legal basis for doing it, whose data is being used, what type of data, how long you will keep the data, contact details within your organisation, whether third parties are involved and security measures to protect the data. This type of document has many names but we prefer to call it a Data Processing Record (DPR) and you should have one for each type of data processing that you do.
Data Protection Impact Assessment
Alongside each DPR you may need to document an impact assessment of the risks to the privacy of the people whose data you are processing. It is not an absolute requirement of the GDPR that you carry out a Data Protection Impact Assessment (DPIA) except in specific situations. If you process sensitive data about people’s finance, health, criminal records or political affiliations then you must. If you are processing data relating to children or carrying out large scale or regular processing then again you must, sadly the terms large scale and regular don’t have hard definitions and so can be interpreted in many ways. It is probably sensible to document some form of impact assessment for all but the most trivial sets of data as this demonstrates that you have considered the issues.
The list above mentions the lifetime of the data, the GDPR expects that you will have specific rules about how long you keep data and the steps you take to delete data you no longer use. This is called Retention and shouldn’t be ignored. You may need to keep some data in your accounting system for up to 6 or 7 years for tax and other reasons however this should be disposed of after the retention period has elapsed. Other data such as personnel records will have a shorter lifetime after an employee leaves whereas unsuccessful job applicants should probably be disposed of very quickly unless you can demonstrate a real reason to keep them. In order to keep track of this you should keep a central document that lists all the data you deal with and identify the lifetime of the data. For each you should describe the process of deleting, archiving or otherwise disposing of the data and keep a record of regular checks to ensure it has been done.
As always, we present the above as a discussion and it should not be taken as guidance in the absence of your own legal advice.
By Roger Sutton