GDPR – The Role of Your Data Protection Policy
One question I have been asked recently is “what should be in our GDPR compliant Data Protection Policy?” In fact, it’s something I have been asked more than a handful of times, so I thought I’d share my thoughts with you.
When we think of data protection policy and documentation we tend to automatically consider data security, which is an important part, but it must be remembered that it is not the start and end of it. So, yes, the security protocols you have in place should be outlined in your GDPR Policy, as they are today in your DPA Policy. But what’s new?
The first major change I’m advocating is the inclusion of a “data map”. The data map is, in essence, a high level overview of the fields of personal data your firm processes, mapped against the legal basis you hold for processing that data. It’s a good first step, but why? Because where you are processing data under consent you must afford the data subject additional rights, such as the right to be forgotten. Equally you must inform them, in the Fair Processing Notice, of any firm to whom you may send their data. By mapping the data you make it clear to which customers these rights apply, so any third party, or regulator, looking at your processes can see you have properly considered these rights and afforded them to applicable data subjects. Importantly, it also allows you to justify why the majority of the data you process is not based on consent, and therefore, certain rights do not apply. Again, if any third party was to ask why you don’t provide customers the right to be forgotten on certain pieces of data you are able to show your reasoning.
Additionally, the GDPR policy will need to include a high level overview of your processes in relation to subject access requests, requests to be forgotten, requests to rectify data, requests to restrict the use of data, portability requests and requests in relation to automated decision making / profiling. The latter is another area you can exclude from the majority of data using the data map listed above.
As mentioned before, GDPR compliant Data Protection policies will still need to cover security arrangements but will also now need to include details on how you will ensure audit trail and comply with privacy by design, the concept of creating your systems and processes with data protection in mind.
Supplier management, specifically the inclusion of standard terms in SLAs, is an important change under GDPR so most policy documents will want an update in this area. If you factor in the risk related to the new larger fines, coupled with the fact that both processors and controllers are responsible for a processor’s breach, firms are ramping up their oversight procedures.
And, of course, you need to report data breaches “in good time” with a target of 72 hours. The upshot is a new, improved, breach reporting process within your policy documentation including requirements that suppliers inform you of breaches within a short timescale.
Finally, you will want to include a section on your DPO, either outlining their responsibilities or justifying why you do not fall within the requirement to have one.
Four months and counting…until GDPR is live. Firms are now creating the first draft of the raft of policies and procedures required to ensure compliance with the new standards, procedures include:
A process for dealing with subject access requests including instances where they may be considered complex
A process for dealing with requests for data to be erased including when the right does not apply
A process for dealing with requests for rectification
A process for dealing with requests for restriction
A process for dealing with objections
A process for dealing with portability requests
A process for dealing with requests in relation to automated decision making and/or profiling
A breach reporting process
DPIA template and factor its use into your change management process
Keep up to date with the latest on GDPR and other compliance matters by signing up to our Compliance Insights newsletter.
We have templates for all of the documentation mentioned in this article, if you would like assistance all you need to do is Contact Us.