1. About This Guidance Document
Within your Bundle pack, you will have received our ‘Bundle Instruction’ document, which accompanies this guidance paper. The instructions provide links to our GDPR resources and gives guidance on using the checklists and customising your compliance documents.
As there are numerous documents in the Bundle, it can be overwhelming for some organisations’ to know where to start, which is why we have created this guidance sheet. If you already have a data protection implementation plan or are knowledgeable about what your obligations and requirements are, there is no requirement for you to follow the guidance in this document. However, we have used our own extensive experience, the ICO and the European Data Protection Board’s (EDPB) (formerly the Article 29 Working Party (WP29) guidance and other GDPR resources to offer some suggested actions on where to start with both GDPR compliance and the documents in your Bundle.
2. Extraction & Location
It may sound like an obvious place to start, but once you receive your Bundle, you should extract and save each of the documents to your own computer/system. We have added each of the individual documents to folders to make receipt easier, however every organisation will store and use the documents differently, so it is important that you know where each document is located on your system and if preferred, rename them.
Extracting and saving each document ensures that you do not have any issues with read-only or protected mode, which is a common security default if opening and using the documents directly from emails or .zip folders.
2.1. Objectives
With so many documents supplied in the Bundle, it is important that you know where to start and which documents require customisation and specific implementation. This guidance gives suggestions only for where to begin and how to proceed through the bundle. You are of course welcome to start with any of the included documents and work through them in any order.
The overall aim is to develop a structured and compliant data protection program that can be used and understood by all employees and third-parties. Having adequate policies and procedures is only part of the compliance program, and you may already have a data protection regime in place that can be built upon. It is important to remember that you will not necessarily need to start from scratch in all areas.
3. Where to Start
You may be overwhelmed by the volume of documents in the Bundle, but there are 5 main areas that can start the ball rolling and provide you with a lot more guidance and understanding about how to implement the GDPR successfully and which areas need improvement.
NOTE: We have not added a template Appropriate Policy Document (APD) to the Toolkit because: –
- The APD is designed to provide information about the legal basis and safeguards that an organisation has in place for special category data and/or sensitive processing and we have already covered this in the GDPR Policy & Procedures template and you will detail the condition for processing, lawful basis and data retention in the ‘Information Audit’ and ‘Processing Register’ templates already
- For those firms want to use a separate APD, the ICO already published a free template in November 2019 and we never charge for templates already freely available – https://ico.org.uk/media/for-organisations/documents/2616286/appropriate-policy-document.docx
3.1 Appoint a Data Protection Officer or Responsible Person
Depending on the size and nature of your organisation, you may need to appoint a Data Protection Officer (DPO). Your DPO or appointed person should be one of the first roles created, as it is likely to be their responsibility to plan for and implement the GDPR; as well as preparing for ongoing compliance.
However, even for those organisations’ who are not obligated to have a DPO, it can still be useful to designate the data protection function to a specific person or team. Those who do not meet the Article 37(1) requirement to appoint a data protection officer will still need to comply with data subject requests, breach notifications, documentation requirements etc; which a lead/team can be make responsible for.
3.2 Awareness
Those in the organisation with key positions and/or the decision makers need to be aware of the time, resources and budget needed to effectively implement the GDPR and to ensure continued compliance. It is also essential that employees are made aware of the coming changes and their responsibilities. If you have also purchased our GDPR Staff Awareness Training Package or use an alternate session/workshop, you should schedule training sessions to start as soon as possible.
3.3 Information Audit
Within your GDPR Document folder, we have provided you with an Excel template for completing an Information Audit. Depending on the size of your organisation, you can either complete one audit, or carry out one for each business area or department. However, if you do carry out multiple audits, it is essential to combine and review them once finished to ensure that you do not have any gaps or duplications.
Doing a companywide information audit is one of the ICO’s first recommendations for GDPR preparation, with the aim of mapping the personal data flows within your business. We have provided the essential headings in the audit template, although you are free to add to/edit them if required.
The information audit is a register of all personal data processed by you, including identifying and recording how it flows into, through and out of the business. Start by identifying any functions, processes and areas that involve processing personal data (including collecting, using, storing and disclosing). Such sources can include (but are not limited to): –
- Employee contact details
- Payroll data
- Customer contact details
- Mailing lists
- Online forms
- Consultations
- Orders
When you have identified and documented all personal data flowing into the organisation, you should then record the information for each of the template headings, including the source of the data, legal basis for processing, purpose, disclosure recipients etc. The headings in the Excel template also come with descriptions, so we haven’t added further detail for what needs to be completed. The template also comes with examples for extra guidance.
The information audit allows you to assess and identify what personal data you process and the reasons, but also serves as a template for ongoing data protection compliance in areas such as data subject rights, safeguarding measures, retention periods and personal data reviews.
3.4 Processing Activities Register
Again, a complete Processing Activities Register template has been included in your Bundle, with the necessary headings to comply with the GDPR and Data Protection Act 2018 requirements. Not all organisations are required to maintain a record of their processing activities (see the Data Protection Policy or Article 30 for the conditions), however it can be completed voluntarily as an internal record of your processing activities.
If you are required to keep such records, you should complete the register as your next action (or if you are choosing to complete it voluntarily). Some of the headings in the processing activities register are duplicated from the information audit, so the data can be moved across, although this register does have specific requirements for documenting the purpose and type of processing activities, as well as the categories of data subjects & personal data and what technical and organisational security measures are in place.
There are slightly different requirements in the records for controllers and processors, so we have added a tab in the template for both options. The processing activities register comes with descriptions above the headings and we have also provided examples for both controller and processor records.
3.5 GDPR Compliance Checklist
We have included a GDPR compliance checklist in your Bundle, and whilst it may be tempting to try and get all measures in place first and then complete the checklist so that you can show full compliance; the aim of the checklist is to identify gaps so do not worry if you have areas of non-compliance.
We would recommend at this stage completing the GDPR checklist; your bundle instruction sheet provides a walk-though on using the checklist and how to use the filters and action plan. There is also a Word version of the GDPR checklist should you prefer this format.
Once the checklist has been completed, you will have a working list of any functions or areas that have gaps, need improvement or are non-compliant. With this list, you are now able to use the action plan and document the measures and actions that you will take to gain compliance in each area.
4. Policies & Procedures
Once you have completed the actions in section 3, you will now have a structured list of steps that you need to take to implement GDPR compliance. We have detailed in this section some suggested actions for next steps to take when working through the bundle documents.
4.1 Consent Mechanisms & Privacy Notices
Your Bundle includes a template Privacy Notice, although if you have been collecting personal data previously, you may already have such a notice in place. You should now review the content of any existing notice(s) to ensure that they contain the Article 13/14 information disclosures and comply with the Regulation. Your instruction document contains a link to detailed privacy notice guidance from the ICO, which is also useful.
Your notices need to be clear, legible, easy to understand and easy to access and should not be bundled with any other materials (i.e. T&C’s) or matters that may confuse the individual. If you are relying on consent in any of your processing activities, you will also need to review your consent mechanisms and ensure that they are granular, opt-in and again, not bundled with any T&C’s or other materials.
You must be able to evidence when and how you obtain consent, and show a positive opt-in (tick-box, signature etc), along with date and time. This also applies to previous consents, so if you cannot demonstrate that previous consents comply with the GDPR requirements, they will need to be re-obtained.
It is possible that some organisations will have more than one privacy notice, so we have included a Privacy Notice Register where you can record each notice, along with essential details about each. You may have one for employees, one for customers, one for online marketing etc, and each is likely to have different content (maybe some with consent and some without), so having a register keeps track of them and helps with the requirement of reviewing the notices on a regular basis.
You may also have different formats for the notice, which again should be recorded on the register (i.e. paper, online, electronic etc). When reviewing/developing consent mechanisms, the ICO suggest that organisations: –
- Check that consent is the most appropriate lawful bases for processing
- Ensure that consent requests are clear, prominent and separate from any T&C’s
- Give granular options to consent separately to different types of processing (if appropriate)
- Provide name & contact details of your business & any relevant third-party who will rely on the consent
- Explain the right to withdraw consent, note how to do this & make it simple and clear
- Ensure individuals can refuse to consent without detriment & that it is not a precondition of a service
- Have mechanisms for recording and managing consent, recording how & when consent was obtained
- Regularly review consent to check that the relationship, processing and the purposes have not changed
- Online Services for Children – if applicable, you must ensure that you have effective systems and controls in place to manage the consent mechanisms. Consider processes for verifying the age of an individual and if applicable, ensure that you obtain parent/guardian consent to process the data of a child 13 years or under. Privacy notices aimed at children must be concise, clear, easy to understand, easy to access and be reviewed regularly.
4.2 Policy & Procedure Customisation
You can now start working through the policies, procedures and templates in the Bundle. The policies and procedures provided in the bundle are mostly ready-to-use and come with the GDPR requirements and procedures. You can use the guidance in the instruction document to corporate brand the documents, and each comes with standard version control sections. The instruction document also provides guidance for the areas that require customisation and editing.
As the documents have been designed to offer a comprehensive data protection and information management program, they are naturally detailed and extensive. The main Data Protection Policy & Procedures extends to over 30 pages, but there may be some areas that differing business types can amend or remove.
As the GDPR has more obligations and responsibilities for processors than the current data protection law, we have included requirements and content applicable to both controllers and processors. Whilst this may mean customising or removing some sections, this ensures a complete document for all business types and sizes without duplication or extra cost.
If you have specific or existing procedures in place for any of the requirements already covered in the policy documents, you can edit/overwrite what has already been provided. It is essential that the procedures in the policy documents are ones that you will follow and are relevant to your organisation.
As the main Data Protection Policy & Procedures contains many of the data protection processes and content, you are welcome to separate the sections into individual policy documents if preferred. However, using the one main document is the standard approach and we have already provided the main policies in standalone formats, such as Data Retention, Breach, Transfers, SAR Procedures etc. This Data Protection Policy & Procedures also provides you with many actions and functions for GDPR compliance, so can be read and used alongside the GDPR checklist to understand and implement compliance measures and controls.
The documents for breaches, retention, transfers and SAR’s are ready-to-use, but should be customised if you have differing processes in place or intend to comply with the Regulation through different actions. You should also at this point complete the Data Retention Schedule found in the Data Retention Policy, as every firm will have their own retention periods and records.
4.3 Data Protection Impact Assessment (DPIA)
Not all firms are required to complete a DPIA (see the Data Protection Policy or Article 35 for conditions), however as with the processing activities register, some firms complete a DPIA even where it is not mandatory as the process provides extensive information about each processing function and how best to protect the personal data and data subjects and to identify and risks.
In your bundle, you will find extensive DPIA procedures and Excel templates for completing an impact assessment on any processing functions that are high risk. We have not gone into detail here as the DPIA procedures in the Bundle are detailed and provide a walk-through for carrying out such assessments.
4.4 Processor Agreement Template
We have included an agreement template in the Bundle for controllers using processor(s). This agreement meets the requirements of Article 28 and other relevant Regulations. The template can be customised for each processor and comes with customisation sections for the specific of each processing activity. We have also provided a processor notification template to advise your existing processors of the impending changes are your/their obligations.
5. Other Suggestions
Once you have completed all the above actions, you should have a good understanding of the GDPR and your preparation needs and be well on your way towards having a robust and compliant data protection program. We have added a few more suggested actions below.
5.1 Staff Training & Guidance
Your Data Protection Policy & Procedures can also be a guidance document for employees; however, for those directly involved in the processing of personal data, you should ensure a robust and thorough program for their support and training.
Implement procedures to guide staff on how to manage the personal data that you hold and what to do when individuals exercise their rights (i.e. subject access or rectification). Reporting lines and DPO details (if applicable) should be disseminated, with specific data protection training workshops being included in all induction programs, as well as on a regular basis for existing staff or those returning after absences.
5.2 Data Subjects Rights
Your Data Protection Policy & Procedures contains procedures and content for allowing data subjects to exercise their rights and guidance for processing such requests (timeframes, notifications etc). We have also included a dedicated document for Subject Access Requests & Erasures for you to use and follow.
There are several rights for individuals under the GDPR (some similar to the UK’s previous DPA), so having clear procedures and mechanisms in place to allow for the exercising of such rights is essential. Subject access requests, rectifying data, erasure & restricted processing all require a written process that employees can understand and follow. In most cases, requests should be actioned within one month of receipt and be free of charge, with communication being in a concise, intelligible and easily accessible form. Your information audit can be useful for data subject requests in identifying where data is located, in what format and any disclosure recipients.
5.3 Data Portability
This area has new requirements for data protection and in certain circumstances, organisations are expected to have controls and systems for enabling individuals to ‘receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance’. The ICO suggest that businesses: –
- Implement a process that will enable individuals to submit a request
- Ensure that the medium in which the data is provided has appropriate technical measures in place to protect the data it contains
- Ensure that the medium in which the data is provided allows individuals to move, copy or transfer that data easily from one organisation to another without hindrance
5.4 Children & Data Protection
The ICO have produced extensive guidance on how the GDPR and DPA18 relate to children and what actions must be taken to ensure that those processing the personal data of a minor are compliant. As the guidance is already in publication, we have not added it to this section, but have added the link to the ICO page so that organisations can review the guidance directly.