In the final instalment of our guide to GDPR legislation, which comes into force from the 25th of this month, marketing expert Charlotte Graham-Cumming looks at key documents you’ll need
Requirements have been tightened up around record keeping and educating and training relevant staff, so it’s good to have your bases covered.
You don’t need anything too onerous, and we’ve found that the most useful documents to create are:
Risk Assessment Document (RAD)
This should be a comprehensive document where you evaluate the key areas in your business that process personal data. You use this document to record how you process the data, where it’s stored, how it’s used etc and what risks you perceive in terms of non-compliance.
You can then list the actions to take within your business in order to ensure compliance by the due date (May 25th 2018). You can also state here if you decide not to take a certain action (and why), and to define the extent of individual rights such as Subject Access Requests.
Someone familiar with the regulation should draft this document and perform the analysis, in order to ensure you do it correctly.
You may also want to produce condensed versions of this policy for employee contracts, your website and for business partners.
Third party data sharing agreements
Any areas identified in the RAD where you share data with third parties should be party to a data sharing agreement. As the Data Controller, you have responsibility to ensure that any third party you pass data to (including Cloud Software providers, credit companies, payroll services, accountants etc) processes the data in accordance with GDPR.
If you in turn process data for other companies, you should have a statement that you provide to acknowledge your compliance with GDPR and any specific processes that are relevant to that relationship.
You are also required to adequately train your staff, providing clear guidance on how they should process data within your organisation, and how they shouldn’t.
The training should be recorded, and compliance with data privacy should be part of the employee contract process.
Hopefully by now you, if you’ve read all of the articles, you should have a clear understanding of you can manage a project to get yourself compliant, comfortably ahead of time.
If you’re running a consumer-facing business, don’t ignore GDPR – the potential risk to your company financially is high, and with a small amount of effort you can easily be compliant, so it’s a bit of a no- brainer. Particularly if you work with an expert.