With less than two weeks to go, this blog focuses on your Compliance Folder. As you are aware, GDPR requires us to demonstrate our compliance, rather than assume compliance.
One of the ways that we can demonstrate compliance is to prepare our compliance folder – by doing this, we will understand the personal data that we hold and be able to map its transmission, communicate effectively with our data subjects and ensure that we have compliance procedures in place.
Your compliance folder should contain:
- Name and address of data controller;
- Name of the Data Protection Officer if you have appointed one;
- Record of Processing Activity – this is a summary document which brings together your understanding of how your business processes personal data and the safeguards it has put in place;
- Privacy Standards – this is your internal set of standards that you expect staff to uphold when they process personal data;
- Copies of your fair processing notices – we all know that we now have to give significantly more information to data subjects about how their data is processed. Copies of these updated notices should be copied into your compliance folder;
- Data retention policy (if separate) – GDPR reinforces the fundamental principle that personal data should not be kept for any longer than is necessary. We are all obliged to consider appropriate timeframes for retention and subsequent destruction;
- Procedure for response to a Subject Access Request – time frames are shortening, so having a procedure in place that staff are aware of, will assist our compliance;
- Procedure for response to a Data Breach – we are all under a new obligation to report to the ICO and to the data subjects themselves, any breach which is likely to result in a high risk to the rights and freedoms of data subjects. An effective and streamlined procedure is essential;
- Data Breach Log – GDPR obliges us to maintain an internal log of all breaches whether notifiable or not;
- Data Breach Notification template – if we deem the breach to be high risk and we decide to notify the ICO and the data subjects, we have 72 hours in which to do it. This is not long. Prepare your notification template now so that you do not waste time in the event of a breach;
- Personal Data Impact Assessment template – an PDIA should be carried out when you are considering making a change to your data processing practices. If you are bringing in a new system, if you are planning to outsource payroll – these should be accompanied by a PDIA;
- Records of staff training – all staff need to be aware of the culture shift being brought in by GDPR. Maintaining staff training records is a good way to demonstrate compliance;
- Template for the DPO to report to the Board – data protection should form part of your routine compliance reporting to the Board;
- Details of third party Processors and copies of their contracts – the liability of data processors is increasing under GDPR and your third party processor contracts will need to be updated accordingly and stored within your compliance folder.
This folder should be kept up to date and should be made available to the ICO in the event that they issue an information notice.
Next week, we will look at demonstrating compliance and the last steps to be taken prior to GDPR implementation on 25th May.
To read my previous blogs on GDPR please visit the blog section of our website.
If you have any questions or need any help with regard to the GDPR, then please contact me.