experts have put together a list of documents and policies you need to be thinking about to be on your way to GDPR compliance before 25th May 2018. Get ahead of the game and find out below which may apply to you and your business. Below we explore what these documents and policies are and what, when and where you need to use them.
guidance note is also listed as part of the LawBite GDPR Documents Package
, to help you on your way to data compliance.
1. Terms and Conditions of Website Use
3. Data Processing Agreement
You should also have a GDPR compliant data processing agreement. It covers the obligations that parties need to comply with when using third parties to process personal data.
4. Data Processing Clauses
This document contains clauses to be inserted into a third party supply agreement where the third party is processing personal data. The clauses contain the relevant obligations to comply with GDPR.
5. Data Retention Policy
A data retention policy establishes and describes how a company expects its employees to manage personal data. GDPR states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This policy will help businesses identify and establish its own rules for how long data should be retained for.
6. Data Protection Policy
This is a standard policy for use by a business setting out the principles and legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data used in the course of the operation and administration of the business, including customer, supplier and employee data.
7. IT Security Policy
This is a standard policy for use by a business setting out the IT and data security principles that a business must comply with under GDPR. Businesses are required to put in place appropriate technical and organisational measures in place to prevent personal data being damaged, lost or stolen.
8. Consent to Data Processing
GDPR contains rules on how a business should obtain consent. This document contains a range of consents and guidance notes on how to use each consent form.
9. Clauses for Staff Agreements
These clauses for staff agreements have been updated to reflect GDPR, given the new rules on consent in an employment relationship. If you are issuing agreements to new members of staff or amending contracts for some other reason from 25th May 2018, these clauses can be used.
10. Employee Consent Form
GDPR rules on consent in an employment relationship mean that it would not normally be appropriate to request that an employee give their consent to their employer for their data to be processed. However, there may be limited and specific circumstances when this is required.
11. Privacy Notice to Staff
This privacy notice is for use by employers to advise employees, workers, contractors and other individuals who are employed or engaged by the business about the collection, storage and use of personal data by the employer. A privacy notice should be given to everyone whose data is collected and processed, including job applicants.
12. Memorandum to Board of Directors
The board of directors of a company needs to understand GDPR and have overall responsibility for a company’s compliance with GDPR.
This memorandum highlights the key areas that the company needs to understand with regard to GDPR so that the board understands the implications of failing to comply with GDPR.
How to document GDPR compliance?
Documentation can help you comply with other aspects of the UK GDPR and improve your data governance. You can follow ICO's checklist:
You must document the following information:
- The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
- The purposes of your processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures.