Published on Oct 12, 2021
As part of our series of articles about how to carry out a GDPR compliance audit or GDPR readiness assessment, we recently discussed how to conduct a data mapping exercise in order to identify what personal data your organisation holds. We followed this up with an article about how to establish a lawful reason for processing. In this article, we turn our focus towards internal and external documentation.
It may come as a surprise, but achieving compliance with the UK general data protection regulation (GDPR) isn't helped by implementing boilerplate policy documentation. Instead, it requires appropriate procedures and notifications that reflect how your organisation approaches specific compliance issues. When added together, this documentation forms the heart of an effective privacy management operation and the foundation for ongoing GDPR compliance. It ensures businesses have considered how it protects the personal information it holds and has taken action to safeguard the rights of data subjects. Well documented policies and privacy information are defined as a responsibility of the controller under Article 24(2) and are also a substantial factor in demonstrating accountability under Article 5(2), so the significance of having accurate and relevant documentation shouldn't be understated.
Consequently, you should regularly review your data protection policies, procedures, and related privacy information to ensure your organisation retains ongoing GDPR compliance. Conducting regular reviews also helps ensure privacy-related processes are concise and remain relevant, which means they will be easier to follow by your employees.
In the first instance, let's look at the types of areas that should be included within your data protection policies and procedures in order to be compliant.
Privacy laws like the GDPR are long and complex. Your data protection policy is, therefore, a summarised version of all relevant legislation that applies in the region(s) in which your business operates. It explains your commitment to privacy compliance, the practices you follow and the requirements expected of employees in terms they will understand.
In the event of an investigation from the Information Commissioner's Office (ICO), your data protection policy is the first place they will look. This is how the ICO will determine if you process personal data lawfully and whether an alleged violation resulted from a mistake or widespread neglect. It's worth noting that human error will likely result in a far more lenient outcome than that of systemic failure, which will almost certainly lead to a monetary penalty.
While there are no set criteria, you could consider including the following in your data protection policy documentation:
The next step is to check each area of the policy documentation:
For instance, looking at how long you need to keep hold of personal data and what needs to happen to ensure that it's securely deleted would follow something along these lines.
Your data retention policy sets out your organisation's rules about how long information should be held. The GDPR doesn't define a specific storage limitation period. Instead, your policy should outline retention periods based on documented and justifiable requirements deemed necessary for your business. When determining if the set retention limits are still relevant, consider the purpose for processing the data, along with any legal or regulatory requirements. The key point is not to keep hold of personal data for longer than it is needed for the purpose.
There are two exceptions to avoid having to adhere to data retention periods. The first is to anonymise the data so that it cannot be connected to an identifiable person. Anonymised data can be retained indefinitely under the GDPR. The second is where the information is archived for public interest purposes or related to scientific and historical research or statistical purposes, subject to Section 19 of the Data Protection Act 2018 (p30).
As the retention deadline approaches, you have three options, either delete, anonymise or archive the data. Check which of these is the appropriate action and that it happens in practice. When deleting personal data, be sure to destroy, remove or erase all copies. This means you will need to know where the data is stored and whether it is digital or paper-based.
A retention schedule will help you keep track of how long different types of personal data can be kept and provides guidelines for how they should be discarded.
Once the policy review is complete, it's time to focus on your external privacy information. These include your privacy notice along with any forms where personal data is captured.
Whereas privacy policies are internal documents outlining the rules and requirements expected of employees—privacy notices are external documents that explain to individuals what you do with any personal data you hold about them and why. The UK GDPR provides more precise instructions about how individuals have the right to be informed under Articles 12, 13 and 14 (p12-15).
The conventional approach to presenting privacy information is outdated and, as it turns out, unfit for purpose. By this, we mean that many privacy notices are complex legal disclaimers, with numerous interlinking documents intended to make it hard for the reader to understand how their information is being used. In reality, privacy notices should be transparency tools that build customer trust and loyalty by clearly explaining how personal data is processed. We recently wrote an article about how to write your privacy notice to win customers and influence people covering this very topic. When conducting a review of your privacy information, it's just as important to consider accessibility as it is content.
After completing a thorough policy review, it is helpful to prepare a list of observations and conclusions. You will also need to follow up and determine why specific policies are not being followed and implement an action plan to meet the documented compliance guidelines.
By following the requirements outlined within your data protection policies and procedures, alongside transparent privacy information presented in an easily accessible format, your organisation will demonstrate to the ICO that it can identify and control risks that could otherwise lead to a breach of data protection.
As a training provider, Freevacy recommends the BCS Practitioner Certificate in Data Protection along with the IAPP Certified Information Privacy Professional Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) certified training courses, which when combined will provide the required knowledge to review data protection policies and procedures successfully.
In our next article we look at how to carry out a data security audit.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS