With less than two weeks to go, this blog focuses on your Compliance Folder. As you are aware, GDPR requires us to demonstrate our compliance, rather than assume compliance.
One of the ways that we can demonstrate compliance is to prepare our compliance folder – by doing this, we will understand the personal data that we hold and be able to map its transmission, communicate effectively with our data subjects and ensure that we have compliance procedures in place.
Record of Processing Activity – this is a summary document which brings together your understanding of how your business processes personal data and the safeguards it has put in place;
Privacy Standards – this is your internal set of standards that you expect staff to uphold when they process personal data
Copies of your fair processing notices – we all know that we now have to give significantly more information to data subjects about how their data is processed. Copies of these updated notices should be copied into your compliance folder
Data retention policy (if separate) – GDPR reinforces the fundamental principle that personal data should not be kept for any longer than is necessary. We are all obliged to consider appropriate timeframes for retention and subsequent destruction
Procedure for response to a Subject Access Request – time frames are shortening, so having a procedure in place that staff are aware of, will assist our compliance
Procedure for response to a Data Breach – we are all under a new obligation to report to the ICO and to the data subjects themselves, any breach which is likely to result in a high risk to the rights and freedoms of data subjects. An effective and streamlined procedure is essential
Data Breach Log – GDPR obliges us to maintain an internal log of all breaches whether notifiable or not
Data Breach Notification template – if we deem the breach to be high risk and we decide to notify the ICO and the data subjects, we have 72 hours in which to do it. This is not long. Prepare your notification template now so that you do not waste time in the event of a breach
Personal Data Impact Assessment template – an PDIA should be carried out when you are considering making a change to your data processing practices. If you are bringing in a new system, if you are planning to outsource payroll – these should be accompanied by a PDIA
Records of staff training – all staff need to be aware of the culture shift being brought in by GDPR. Maintaining staff training records is a good way to demonstrate compliance
Template for the DPO to report to the Board – data protection should form part of your routine compliance reporting to the Board
Details of third party Processors and copies of their contracts – the liability of data processors is increasing under GDPR and your third party processor contracts will need to be updated accordingly and stored within your compliance folder.
This folder should be kept up to date and should be made available to the ICO in the event that they issue an information notice.
To read my previous blogs on GDPR please visit the blog section of our website.
If you have any questions or need any help with regard to the GDPR, then please contact me.
By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.Cookie settingsACCEPT
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.