The General Data Protection Regulation (EU 2016/679) came into force on 25 May 2018 adding new elements and significant enhancements to the existing data protection regime.
In the run up to GDPR you will have considered if you needed to formally appoint a DPO – a necessity if:
Many organisations chose to ensure that an individual or department has responsibility for privacy activities without the need for a formal DPO appointment. Ensuring that the roles and responsibilities for data protection are well known and documented in your organisation is a key compliance requirement.
Documentation of the processing activities carried out by the organisation is a requirement of Article 30 of the GDPR (both UK and EU) if your organisation has over 250 employees. It is also a requirement for smaller companies if the data you process:
Your ROPA should contain a data map of your systems that contain personal data along with information on the lawful basis of processing, the purposes and methods of processing data, data sharing and data retention policies and procedures.
It is important to ensure that there are regular reviews of this documentation as updates are likely over time.
There is further guidance from the ICO on ROPA best practice.
Your policies and procedures should clearly outline roles and responsibilities in your organisation covering a number of privacy related areas:
It is essential that contracts are in place with organisations that process data on your behalf. Contracts should set out the details of processing including:
A framework of due diligence checks to ensure that these organisations are operating the appropriate technical and organisational requirements to meet GDPR is needed.
Regularly reviewing the contracts and data sharing agreements you have in place with other organisations is recommended.
Making sure your staff are aware of their responsibilities with regard to processing personal data is key. Induction and refresher training should include information on data protection, potential security threats and your organisation’s information governance policies and structures. Monitoring and documenting training completion is an important element in being able to demonstrate your compliance.
There are various other Acts and regulations in the UK which have a bearing on data security. These include:
ICO home page for organisations
EU GDPR portal - http://www.eugdpr.org/