1: Data controller or data processor?
Which are you? A data controller decides how and why you process data. A data processor is only responsible for processing data on behalf of a controller. This distinction will affect the information you need to record and it’s possible to be both. For example, you are a data controller for your employees as you hold their data and decide how and why to process it to comply with employment legislation, as well as functions such as payroll, even if outsourced. Foxley Kingham will be a data processor when we process your business payroll.
2: Carry out a data audit
You must be aware of what data is held, on whom, and for what purpose, and ensure you document the information as required by law. This kind of data audit can be time-consuming, however, the Information Commissioners Office (ICO) has some templates which can be helpful.
3: Record the legal basis
Every process should have a legal basis; a legal requirement, a contract, a legitimate interest, or the individuals consent. Other reasons are vital interest (to protect someone’s life) or a public interest task. Once chosen the legal basis should not be changed, so it is important to get it right.
4: Record retention policies
Personal data should be kept for no longer than is necessary for the purpose for which it is processed. Establish what that is, ensure you can justify that period, and create a record deletion policy as appropriate.
5: Assess if there are any high-risk areas
If you have any high-risk areas (where the processing is likely to result in a high risk to the rights and freedoms of individuals, such as large scale processing of sensitive data, CCTV monitoring, data profiling) you will need to do a Data Protection Impact Assessment and may need appoint a Data Protection Officer.
6: Check on consents
If you are relying on consent as your legal basis for some of your processing activities, for example marketing mailings or emails, ensure that there is a clear audit trail. You need to be able to evidence who, when, how and what was told to people. Consents will now need positive opt-in, and separate consents required for each purpose. If they are currently not up to scratch, put new ones in place.
7: Create or update privacy notices
Individuals must be informed what personal data is being held on them, why and for how long, along with their rights. You should draft a policy in accordance with the ICO requirements in plain language and decide if you need to send it to individuals, or have it available for viewing on your website.
8: Check your data security
Look for weak points in your systems that could be vulnerable to a data breach. Consider and document what security measures will be in place for cybersecurity policy and risk, mobile and home working, removable media, access controls and malware protection. Put mitigation measures in place.
9: Draft internal policies
Make sure you have appropriate policies in place so that staff know how to deal with a situation should it arise, and understand what they can and cannot do with personal data. Think through how you would deal with a data breach, or an individual rights (access/rectification/erasure etc.) request.
10: Train staff
Ensure all staff are trained and aware of the policies to ensure compliance and minimise risks of a data breach.
More information can be found on the ICO website: www.ico.org.uk