GDPR: Just for the record

In the final instalment of our guide to GDPR legislation, which comes into force from the 25th of this month, marketing expert Charlotte Graham-Cumming looks at key documents you’ll need

Requirements have been tightened up around record keeping and educating and training relevant staff, so it’s good to have your bases covered.

You don’t need anything too onerous, and we’ve found that the most useful documents to create are:

Risk Assessment Document (RAD)
This should be a comprehensive document where you evaluate the key areas in your business that process personal data. You use this document to record how you process the data, where it’s stored, how it’s used etc and what risks you perceive in terms of non-compliance.

You can then list the actions to take within your business in order to ensure compliance by the due date (May 25th 2018). You can also state here if you decide not to take a certain action (and why), and to define the extent of individual rights such as Subject Access Requests.

Someone familiar with the regulation should draft this document and perform the analysis, in order to ensure you do it correctly.

Privacy Policy
Once you’ve completed the RAD, you’ll then be ready to draft your privacy policy. This should be a detailed explanation of how you capture, manage, process and delete data.

You may also want to produce condensed versions of this policy for employee contracts, your website and for business partners.

You’ll need to make this privacy policy clear and easy to read, and perhaps think about other formats such as animation, which is easy for people to understand.

Third party data sharing agreements
Any areas identified in the RAD where you share data with third parties should be party to a data sharing agreement. As the Data Controller, you have responsibility to ensure that any third party you pass data to (including Cloud Software providers, credit companies, payroll services, accountants etc) processes the data in accordance with GDPR.

You’ll need a bespoke one for smaller suppliers, and for larger companies you will need a copy of their privacy policy and a statement of compliance.

If you in turn process data for other companies, you should have a statement that you provide to acknowledge your compliance with GDPR and any specific processes that are relevant to that relationship.

Training records
You need to demonstrate that you have educated the board of GDPR, your risk assessment and get board sign off on the privacy policy. You should keep a written record of all of these processes.

You are also required to adequately train your staff, providing clear guidance on how they should process data within your organisation, and how they shouldn’t.

Training should be part of the induction process for new employees, and all current employees should be trained when the privacy policy is updated.

The training should be recorded, and compliance with data privacy should be part of the employee contract process.

Hopefully by now you, if you’ve read all of the articles, you should have a clear understanding of you can manage a project to get yourself compliant, comfortably ahead of time.

If you’re running a consumer-facing business, don’t ignore GDPR – the potential risk to your company financially is high, and with a small amount of effort you can easily be compliant, so it’s a bit of a no- brainer. Particularly if you work with an expert.

Good luck!

See the other three articles in the series by following these links:
Article 1Article 2Article 3