YOUR DATA PROTECTION OBLIGATIONS
+ What’s the GDPR?
The EU General Data Protection Regulation (GDPR) is a piece of EU law that came into force on the 25th May, 2018. It is a Regulation, not a Directive which means it has a direct effect on national legislation in each member state. Brexit will not impact its applicability in the UK, the government has made clear that the GDPR shall remain applicable to its full extent.
What is important to remember, is that the GDPR is not a black and white check list of obligations. It is a "risk-based "regulation. This means that it sets out the wider principles that it expects you to follow and then places legal accountabilityon you to make sure you understand what you need to do and that you are regularly assessing the risks associated with your activities to the ‘rights and freedoms’ of the people whose data they hold.
What is more, the GDPR is about evidencing your thought process when you were assessing those risks.
“If we come knocking on the door, if we investigate or conduct an audit in an organisation, the best way you can demonstrate to us that we won’t need to dive deeper and you’ve got covered all the compliance issues is to have a comprehensive accountability programme ”
— STEVE WOOD Deputy Information Commissioner March 2017
+ How do you evidence an accountability programme?
Quite simply, with having the right documentation.
We've successfully completed over 50 GDPR-related projects for startups this year and from our experience, this is the list of the documents we think you need to demonstrate a comprehensive accountability programme:
Article 13 of the GDPR says that you need to display notices about what you do with the personal information you collect, at the time of collection in a clear way, so people are able to understand it. Whereas the rest of the Regulation is risk-based, this is the only absolute right provided in the GDPR. That means, it is required.
Much like a privacy notice, your cookie notice should tell people what type of data is being collected from them through the cookies that your website uses and what you intend to do with it.
The E-Privacy Regulation (also known as the Cookie Law) which was due to come into force alongside the GDPR in May 2018 but was delayed until further notice, is likely to change the way cookie consent is managed as well as how cookie notices are displayed. It is believed that cookie banners will no longer be necessary (those ugly cookie consent boxes you get when you go onto a website which are now required by law) and replaced by something similar but that will allow users to set their browser settings.
We are monitoring the progress of this regulation and will be updating our readers when we know more about what this means.
+ Data Protection Policy
This is different to your privacy notice as it is not displayed on your website or anywhere else. It is instead an internal document that all companies should have which describes the way your organisation collects, manages, stores and uses the personal data it collects and what measures it has in place to ensure adherence to the policy and security.
This policy should be part of your employee handbook if you have employees, part of your contracts with your freelancers and annexed to any supplier contracts you might have.
It is now becoming the norm for business clients to ask prospective partners or suppliers to show them their Data Protection Policy before they enter into any agreement with them. It is strongly advised that you get this document created sooner rather than later as trying to get it in place after you're asked for it, risks losing you an important client.
+ Data Retention Policy
This is another fundamental document which will outline what types of data you collect and how long you will keep it for. The GDPR says that you can't hold personal data forever but how long do you need it for? UK tax law says that when you have a contract with someone you should keep their data for up to 6 years. But what about personal data that you hold for other reasons such as someone tried to find out more about your service?
Again, larger clients may ask for this document before they enter into an agreement with you so it is advisable if you are working with bigger corporates that you get this document created before you are asked for it.
+ Data Processing Agreements
Article 28 of the GDPR says that where processing is to be carried out on behalf of a controller, the controller shall only use processors with whom there are sufficient guarantees to implement appropriate technical and organisational measures so that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. It goes on to say further that ' Processing by a processor shall be governed by a contract or other legal act under Union or Member State law'. The relevant clause has a list of requirements that need to be embedded in the written contract.
Data Processing Agreements (DPAs) are designed to specifically to satisfy this requirement and outline the relationship between a Controller and Processor, clarify obligations and set out roles and responsibilities.
DPAs are suitable in situations where service agreements are already in place that do not include sufficient privacy-related clauses. DPAs are effectively a side-agreement that will enable you to avoid having to re-negotiate the full contract but instead agree on a separate set of terms that governs that part of the relationship (Controller-Processor).
+ IT and Security Policy
Your IT and Security Policy comprises a set of rules that ensure that all users or networks of the IT structure within your organisation’s domain, secure the data that is held and follow your guidelines to protect the information which is held digitally.
It also names the relevant points of contact for any member of your team that suspects or becomes aware of a data breach and puts in place a plan of action in the event that any personal data is compromised.
+ Data Breach Policy
This policy can often make or break a company as it much less likely to botch up a post-breach course of action when the eventuality has been thought through before and rational plans have been devised for such an event.
When a data breach occurs, you may need to notify the relevant Supervisory Authority or even the data subject whose data
+ Employment and Freelancer Contracts
The GDPR is not all about how you protect the data you hold about your clients, it also concerns the data you hold about your employees and contractors.
What's more, employment and freelancer contracts should include obligations for your employees to ensure that they observe your Data Protection Policy as well as any other relevant policies such as your policies on IT and Security Policy and Data Breach Policy.
Not all the documentation above is absolutely necessary for every single company. Equally, some companies may need more documentation depending on the nature of their business.