The General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in the last 20 years. This change has completely reshaped the way organisations need to handle, manage and maintain their data and data processes - affecting every sector from Healthcare to Oil and Gas. This is a space to share best practices, tips, useful tools and GDPR Support Services.
There are lots of systems out there that claim to manage data mapping and ROPA (Record of Processing Activities). However Data mapping will only be successful in your business if you can align it with your existing business processes. Look at how you document and map your existing business processes. The next steps will be to data map each of these processes. If you don't have a process map of your business processes give us a call we can do this for you.
Knowing when you need a DPIA can be difficult, these questions below will help you decide if you need one. DPIA's are all about identifying risks and ensuring processes are put in place to mitigate these risks. We can provide DPIA as a Service if you are introducing something new in your work place.
1) Will/does it involve the collection of information about individuals?
2) Will/does it compel individuals to provide information about themselves?
3) Will/does information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
4) Will/are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
5) Will/does the information about individuals of a kind particularly likely to raise privacy concerns or expectations?
6) Will/does it result in someone making decisions or taking action against individuals in ways which can have a significant impact on them?
7) Will/does it involve making changes to the way personal information is obtained, recorded, transmitted, deleted, or held?
8) Will/does it require someone to contact individuals in ways which they may find intrusive?
9) Will/does it involve you using new technology which might be perceived as being privacy intrusive?
Keeping costs down when it comes to Subject Access Requests can be difficult, the ICO has a detailed code of practice for managing Subject access requests. Legal advice will only be required if this process isn't managed effectively, however that doesn't mean this whole process should be managed by a legal firm.
These are the key requirements when managing this process however having the right people to communicate for you will save you time and money.
1) Understanding what information an individual is entitled to
2) Understanding what manifestly unfounded or excessive might look like within your organisation
3) Time limits for responding
4) Exemptions you need to know circumstances where information should not be disclosed
5) Positive approach in communication
Capturing your organisational risks is absolutely crucial if you want to stay one step ahead in data protection. A good starting point would be to review the ICO's Data Protection Self Assessment to highlight some areas that may be at risk such as Starter & Leavers Processes. Click the "Useful Tools" links below for more information.