As the 25th May deadline looms, you should already be well underway with ensuring your organisation / business is GDPR compliant. There are a number of documents required for GDPR that you should have in place… Further GDPR topics can be viewed on the blog.
The documents required for GDPR
Data Protection Impact Assessments (DPIA)
The GDPR introduces a new obligation to perform a DPIA before carrying out processing likely to result in high risk to individuals’ interests. By performing an assessment you should then be able to identify your obligations and what is required to comply with GDPR.
GDPR Compliant Contracts
Whenever a controller uses a processor it needs to have a written contract in place. As part of the GDPR you need to ensure that your sub-processors are compliant. Our new terms of service will affirm our commitment to the GDPR and will be available to all customers before the end of April 2018. These will be published on the website and a communication will be sent out when they come into force. The new terms of business form our contact with you.
Consent Forms
One of the big changes in the new regulation requires companies and organisations to be able to prove they have consent to send marketing communications. For us here at Clook we are adopting a start gain approach – All customers presently on our marketing email database will be contacted and asked to confirm that they would like to continue to receiving such mails. New customers signing up via the website will be presented with a form asking them to opt-in.
A Data Protection / Privacy Policy
You should have in place a Privacy Policy which is clear and understandable for data subjects. It should state how you process their personal data, how long it is stored and who it is shared with.
A Subject Access Request Policy
Under the GDPR, an individual has the right to access their personal data along with details on how it is being processed. It is important that an organisation has a procedure in place on how to handle such request. A response to a request must be given within 30 calendar days so having a policy available will assist in meeting this requirement.
A Data Breach Policy
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible. As with the Subject Access Request Policy you should have a procedure in place to deal with a breach should it occur.
For larger organisations (and mandatory for those with over 250 employees) it may be necessary to appoint a Data Protection Officer. Where a DPO is in place it is recommended that a DPO Job Description is drawn up with a list of responsibilities. This will help the officer,Β management and other staff understand how the business is meeting GDPR requirements.
These are the documents required for GDPR. Having them in place will go a long way in ensuring you / your business conforms to the new regulation.