We will work with you and your staff to identify and document any personal data you process, i.e. collect, hold, transfer and delete. This will give us an areal view of the information flow in your business and bring up any gaps.
This means we will establish what data you hold, why you hold data, how it was collected, where and how it’s stored, how long you intend to keep it, when you’ll destroy it, how robust your processes and technology are to keep the data secure, who you share it with, who has access to it, who has overall responsibility for the data, where you document this information and how often you review it.
Review of processes and procedures
We will review your processes and procedures to ensure that they are up to date, identifying any gaps and room for improvement, both in terms of data protection and operational effectiveness. This will tell us exactly what is missing and what can be improved both in terms of efficiency and data compliance. Are you confident of the ‘legal basis’ you can use to process personal data? Depending on the type of data in question you may have a different legal basis for each data set.
The six legal basis for processing data are:
- Legitimate interest
- Legal obligation
- Vital interest
- Public interest
This means establishing the robustness of the internal organisational processes and procedures as well as the competency of the technical systems used to keep the data secure. Are you aware of the software you use, firewalls, encryption and the back-up arrangements? Our review will answer give you concrete answers to these questions.
Preparing or revising policy and procedure
The GDPR law requires organisations to document how information is collected, stored, processed, transferred and deleted. Would you know how to delete information if the data subject withdraws consent? This usually entails a Privacy Notice, Data Protection Policy, Retention Schedule, Subject Access Request From and Breach Reporting Procedures and we can assist here.
Establishing privacy by design and default
The GDPR requires organisations to embed the prioritisation of data protection in all areas of work, not treat it as a bolt-on at the last stage of a new development. This means any new policies, procedures, IT purchases, and projects must be organised and designed such that they have the protection of personal data, and adherence to the principles of the GDPR, at their heart. All policies will have to explain how personal data is processed.
Data Protection Impact Assessment (DPIA)
The GDPR requires that eligible organisations carry out a DPIA in relation to its policies and procedures. A DPIA is a risk assessment of the proposed processing of personal information by an organisation. The DPIA should help a business identify the most effective way to comply with its data protection obligations, identify and mitigate risks to data and meet individuals’ expectations of privacy.
Recent guidelines advise businesses to conduct DPIAs if their proposed activity is likely to result in a “high risk” to individuals. It gives 9 criteria to be considered:
- Evaluation or scoring, including profiling; e.g. credit check, website usage data
- Automated decision-making; e.g. exclusion or discrimination
- Systematic monitoring of individuals e.g. employer’s CCTV to monitor employees
- Processing sensitive data or data of a highly personal nature e.g. medical/health records, political beliefs or trade union activities
- Processing data on a large scale
- Matching or combining datasets;
- Processing data concerning vulnerable individuals; e.g. mentally ill persons
- Innovative use or application of technological or organisational solutions e.g. finger print and face recognition combined for physical access control
Staff training and assessment
Frontline staff are often in contact with personal data more than anyone else in an organisation and it is vital, therefore, that they are confident in their use of that data and are fully aware of their responsibilities in relation to data processing. Training your staff can enable them to make sensible and well-informed decisions about their use of personal data.
We will tailor sessions to the needs and size of your organisation. These can range from a half-day, small group session with pre-reading to encourage questions and discussion based on real examples relevant to your business to a 1:1 discussion with the business owner/CEO.
A free 30 minute ‘phone consultation to establish how GDPR will impact your business, suggest free resources and answer your GDPR questions.
We work out what your business needs to be compliant
One of our team will conduct an information audit and produce a gap analysis. We will confirm what policies and procedures you have in place and evaluate whether they comply with the new legislation. We will produce a concise report stating what, if anything, your organisation has to do in terms of processes, policies, IT, consent and reporting data breaches in order to comply with the GDPR. This will also include advise on IT security (back-up, encryption and fire-walls) for your computers/phone and software, CRM and internet hosting service.
We produce what your business needs to be compliant
Having worked out where the gaps we’ll brief you/your team on the key processes you must implement after agreeing with you how you’d like to do things within the legislation. We will produce the essential documents; privacy notice, data protection policy including your retention statement as well as templates for data requests, reporting breaches and requesting consent from existing and potential clients for marketing purposes.
Once you’re all set up you might like the peace of mind of having an expert to answer anything that crops over time. We can give you ‘phone/email support for all of your GDPR needs!
Contact us to see how we can help you.