FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449  Email: hirett.co.uk@gmail.com

PLAN NOTE: This plan has been designed to provide steps for implementing the GDPR and assessing your readiness and gaps. It is a lengthy document and as the GDPR is not a ‘one-size-fits-all’ Regulation, it is impossible for us to create a specific plan that suits all businesses. The ‘Condition or Purpose’ column provides guidance on whether the actions are ‘mandatory’, ‘condition-based’ or ‘guidance’, which aids in excluding those areas not relevant to you.

The suggested actions in this plan will not give you a complete approach for implementation, because there will be specific requirements and functions that are unique to your business; and the plan is not legal advice, but professional guidance based on our knowledge and expertise in this area. However, through the actions that have been provided, you will be able to review each business area against the requirements and systematically assess your organisation.

For small and micro-organisations, the only specific exemption relative to your size is the Article 30 Processing Activities Requirement; however, the GDPR states several times that all measures and requirements should be ‘proportionate to your size, scope and nature’. It is likely to for many small businesses, policy sections on ‘Appointing a DPO’, ‘International Transfers’ and ‘Third-Party Processors’ can be reduced or even removed. However, there will also be SME’s or sole traders who must comply with these areas, so inclusion of all requirements is essential in a GDPR Toolkit. Our documents take a universal approach, meaning all requirements for all businesses are included and you then customise or reduce if not applicable. This method is essential for compliance and to ensure that smaller firms are not being given an ‘easier’ package that opens them up to penalties and enforcement down the line.

BUSINESS REVIEW: At the end of the plan, you will see 2 additional sections titled ‘Small & Micro Businesses’ and ‘Medium & Large Organisations’. Obviously, the size of a business is only one part of the equations (nature and scope being just as important); however, these sections provide some business specific guidance that may be useful for business functions and the GDPR.

GDPR CHECKLIST: We recommend starting by working through our GDPR Checklist and answer all questions (where applicable). This is to give you a written list of the areas where you have gaps, are non-compliant or just need to make some improvements.

Our checklist is extensive and may seem geared to larger organisations (i.e. overkill for small firms); however, businesses big and small must comply with the GDPR and except for Article 30 – Processing Activities records, there are no limited or diluted exceptions or conditions based on size. It is all about the type and volume of the personal data you process, which is not dependent on how many employees you have!

 

GDPR Implementation Project Plan

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Review Existing Data Protection Processes & Documents Guidance:

Many UK organisations processing personal data will have been obligated under the previous Data Protection Act 1998. This means that you may already have some form of program already in place

1. Identify any documents, policies, processes, systems and job roles that relate to data protection (i.e. HR forms, employee handbooks, bank details templates, assessment reports, appraisals etc)

2. If you are continuing to use any existing data protection relevant documents, ensure that any reference to Data Protection Act 1998 is replaced with the GDPR & DPA18 (or your country’s relevant Data Protection Law and any guidelines)

3. If the document, system, application or online form collects personal data, ensure it is accompanied by a compliant Privacy Notice (see Privacy Notice section) and if applicable, consent request

It is important to remember that many parts of the GDPR are the same as those in the current DPA. With so much emphasis on the GDPR, many firms are starting from scratch with processes that may just need tweaking.

As you have purchased our GDPR documents, you are likely to be replacing any policies & templates; however, you will likely have forms, documents & templates specific to your business type that can be revised instead of restarted

Accountability Principle

(Article 5(2))

The controller shall be responsible for, and be able to demonstrate compliance with, the data protection principles 1. To demonstrate compliance with the GDPR, you need to be documenting all procedures, processing activities, training, measures and controls that evidence compliance with the principles and requirements

2. Ensure that you have and continuously maintain a clear and structured set of records for all GDPR & DPA18 requirements

3.       For organisations with managerial levels, providing Management Information on a regular basis is an essential part of demonstrating compliance and also support the accountability principle

Accountability is a new addition to the data protection principles and focuses on demonstration and documentation
REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
GDPR Awareness & Staff Training Guidance:

The GDPR will affect all staff and all business functions, so ensuring that everyone is aware of the changes is essential

1. Organise a meeting with Management to discuss the timeframe, requirements & impact of implementing GDPR

2. Decision makers & key people must understand the changes and what is expected

3. Dependant on your size & scope, allocate the resources & budget required

4. Identify which employees handle personal data or are directly involved in, affected by data protection

5. Provide those identified above with GDPR staff training sessions as soon as possible

6. Roll out training to all other staff (in stages or in full dependant on your size)

7. Create an intranet or location where GDPR support and resources can be accessed

8. Create/revise training records for all staff and document all training sessions, support & resources

This part of the implementation project can run alongside the other requirements; however, it is important not to lead awareness and training to the last minute. Large organisations can end up with gaps if not planned correctly and smaller ones with duplications, which can cost time & money.

For small organisations, working through this plan, reading the policy documents and templates & referring to ICO’s extensive guidance can serve as training

Appoint a Data Protection Officer (DPO) or Lead

(Article 37)

A DPO is mandatory when:

a) Processing is carried out by a public authority or body

b) Core activities consist of processing operations which require regular & systematic monitoring of data subjects on a large scale; or

c) consist of processing on a large scale of special category or criminal convictions personal data

1. Designate a Data Protection Officer or Lead

2. Ensure adequate training and support is made available to the appointed person

3. Document reporting lines to and from the DPO to employees, senior management & third-parties

4. Complete the DPO Responsibilities template with the DPO/Leads details

5. Register the details of your DPO with the ICO

See Article 9 for definitions of special category data & Article 10 for criminal convictions

Even if you are not obligated to appoint a DPO, having a designated lead is useful for carrying out DPO duties & maintaining compliance with the GDPR requirements

Note: if it is not clear from the conditions whether you need to appoint a DPO, you should record your assessment determination process

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Carry out an Information Audit Guidance:

Essential for documenting data flows & recommended by the ICO to assist with GDPR preparation & ongoing compliance

1. Decide if you are completing one audit for the whole company or one per business area

2. Use the Information Audit template map the personal data flowing through your organisation

3. Review all personal data sources and document in the audit which legal basis you using to process under Article 6(1) & 9(1)

4. Aim to have a separate line for each processing purpose (i.e. you collect name, address, email & DOB from customer; the name & address are for delivery; the email is opt-in marketing & the DOB for a credit check. These categories have different processing purposes and so should be on a separate line, despite being collected at same time & from same source)

If completing multiple audits, you must bring the data together and review for gaps and duplications at the end

Optional: You can add a column to the audit template for ‘Rights’ with details of which rights apply to each category (i.e. Employee have the right to request access, but not to erasure; those under legal obligation processing can request rectification of data, but not object to processing).

This would then give you an at-a-glance view of which data subject rights are applicable for the personal data categories you have detailed on the audit and can be reference when you receive a request.

Record Processing Activities

(Article 30)

Not applicable to organisations with less than 250 employees, unless processing: –

  • is likely to result in a risk to data subjects
  • is not occasional; or
  • includes special category or criminal conviction data (Article 9(1) or 10)
1. Using the headings in the register template, you can gather the required information per business area using a questionnaire

2. Review existing retention periods, processor agreements, information security measures & recipients of data to obtain the necessary data

3. Complete the Processing Activities Register

4. The register should be reviewed regularly to ensure it is still accurate and up-to-date. Choose a frequency based on your size and add review date to a calendar or audit register

You can use some of the information already documented in your Information Audit

Controllers and processors have slightly different documentation obligations

 

If you are a controller and process special category or criminal conviction offence data, also complete the blue section of the register to comply with Schedule 1 of the Data Protection Act 2018

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Review Existing Privacy Notice(s)

(Articles 12, 13, 14)

Mandatory requirement:

All controllers are required to have a Privacy Notice in place providing the GDPR information disclosures

1. Using the Information Audit data, you will be able to identify where personal data is initially obtained

2. Assess how many notices you need & what format they should be in*

3. Review/create a new Privacy Notice noting: –

a) Name & contact details of the controller & if applicable, their representative & DPO
b) Purposes & legal basis of the processing (& if applicable, the legitimate interests)
c) Recipients of personal data & details of transfers to third country and safeguards
d) Retention period or criteria to determine period
e) Details of data subject’s rights
f) If processing based on consent, right to withdraw consent at any time
g) Right to lodge complaint with supervisory authority
h) Whether the provision of personal data is a statutory or contractual requirement (& consequences of failure to provide data)
i) Existence of automated decision-making

4. Use the Privacy Notice template for revise/create your notice(s) & customise to suit your business

5. Ensure your notice is legible, clear & is not bundled with any other information or T&C’s

6. If relying on consent for processing data, the notice needs to be accompanied by a consent form

If you offer promotions, offers, newsletters, marketing etc as an option when obtaining personal data, you must have a clear opt-in section towards the end of the notice with unticked, opt-in boxes (see template)

*It is best practice to have a notice for each processing activity (i.e. a paper format customised to employees, an electronic notice for online forms etc)

If data is not obtained directly from individual, you must also specify the categories and source of personal data

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Consent

(Article 7)

Relevant if you use consent for any processing:

Where processing is based on consent, the controller can demonstrate that the data subject has consented to processing of their personal data

1. Using the data from your Information Audit, identify if you have any processing activities that rely on consent or special category explicit consent
2. Review any existing consent mechanisms for compliance with the GDPR requirements (i.e. online consent, employee forms etc)
3. Your consent mechanisms should always accompany a Privacy Notice
4. Can you evidence time & date for previous consents? If no, you will need to reobtain consent from those individuals
5. Review how you record and manage consents. What process do you have if someone withdraws consent?
6. Add the specific steps you take when you receive a withdrawal request to you Data Protection Policy
7. If you only use consent for marketing, offers etc, you can use a paragraph in your Privacy Notice(s) to offer the service and utilise unticked boxes to gain positive consent (see below note on marketing)
8. Name your business and any third-party who will rely on the consent
9. Provide guidance on how to withdraw consent
Remember: Some organisations do no rely on consent for any processing, in which case you just need to provide the Privacy Notice as an information source, without opt-in consent

For direct marketing consent, it is a good idea to use ‘double opt-in’ as this ensures an extra layer of positive opt-in and serves as your date & time evidence for the consent

A withdraw consent/unsubscribe option must be included where processing is based on consent

Consent must be clear, detailed and enable a positive opt-in. It cannot be a precondition of a service and must be separate from any other matters (i.e. terms & conditions)

There is a consent template in your Privacy Notice template

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Direct Marketing Relevant if you send any marketing emails/SMS (i.e. offers, newsletter, promotions, extra services etc) that individuals sign up for
  1. For new customers/individuals, you need to decide whether you are relying on consent or legitimate interests for marketing: –
    a) If choosing consent, see the ‘consent’ section above with actions to take
    b) If you think that legitimate interests apply, you do not need consent to send marketing, but you do need to: –
    c) state in the Privacy Notice what those legitimate interests
    d) complete a legitimate interests’ assessment to show evidence that this basis is more appropriate than consent
    e) evidence how the organisation’s interests are balanced with the interests and rights of the individual and that no privacy risk or detriment is likely to occur through the marketing
    f) still provide an opt-out/unsubscribe feature
  2. For existing customers/individuals who have previously consented to receiving marketing, see the notes section to the right
We have added this note on marketing as there is some confusion about using consent or legitimate interests. Which legal basis to use is the cause of a much bigger discussion that we have noted here, but we have written an article for Business Marketing Online which may prove useful – https://www.bmon.co.uk/2018/05/individual-non-customer-contacts-the-key-to-gdpr-compliance

NOTE: One of the confusing part here is that if you have previously obtained consent from an individual to market to them, you cannot now switch to legitimate interests (as you gave them a consent/opt-in option and would not have stated your interests at the time the data was collected).

So, if you used obtained consent for marketing from existing customers, you need to review that consent for GDPR compliance and regain consent where applicable

Data Protection Policy

(Article 24(2))

Mandatory requirement:

The controller must implement appropriate data protection policies to demonstrate the technical and organisational measures taken to comply with the GDPR

  1. Your included Data Protection Policy already sets out your business’s approach to data protection, together with responsibilities for implementing the policy and monitoring compliance – however, you should review the content to ensure it suits your business type and requirementsSpecific review areas include: –a) Privacy by Design – add any specific measures or controls you use for encryption, pseudonymisation, data minimisation, restricted access or security controls
    b) Special Category Data – if you do not/will never process any special category/criminal data, you can reduce this section to specify that you understand the requirements, but that they do not apply to you and you will review your position and processing activities if required
    c) Records of Processing Activities – all options for this requirement are in the policy, so retain only the paragraph that applies to you (i.e. less than 250 staff, processor etc)
    d) Third-Party Processors – if you do not/will never use any external processors, you can edit this section to retain only the first paragraph (removing the content that specifies how you comply). State that you do not use any processors, but are aware of the requirements
    e) DPIA’s – this section should be customised to either include your specific DPIA processes or reference the location of the document with those procedures; or, leave the DPIA description but note if you do not ever need to complete such an assessment, detailing your processing activities as further evidence that a DPIA is not needed
    f) Automated Decision Making – this may not be applicable to many organisations, so again with this section, if it is not applicable to you, reduce the section down to an explanation of what automatic decision making is and why your processing activities/business do not do any
    g) Data Transfers – if you do not transfer any data outside the EU, you can edit this section to advise this and file the International Data Transfer Procedure in case required in the future
  2. Ensure the policy is made available, and communicated to all staff
  3. Have a monitoring schedule in place to review this policy (and all others) regularly to ensure it still meets your requirements and is fit for purpose*
The Data Protection Policy that we have provided is extensive and covers all GDPR requirements. However, we understand that for small firms or those with limited processing activities, some parts of this policy may not apply. As every business is bespoke, we are required to cover all aspects, but have detailed to the left the areas that can be customised if not relevant, leaving you with a smaller policy where applicable.

Owing to the vast array of requirements presented in the GDPR and that not all requirements are relevant to all businesses, we have created a main Data Protection Policy and then have standalone policies/procedures for: –

  • Data Retention & Erasure
  • Data Breaches & Notifications
  • International Data Transfers
  • Subject Access Requests
  • DPO Responsibilities
  • Privacy Notice Template

We recommend leaving all subject rights sections in the Data Protection Policy, even if you are never required to action them (i.e. if you only process personal data based on a contract or legal obligation, withdrawing consent, restricting processing rights etc are not applicable). However, it is good practice to have procedures to action all rights as part of your policy.

* E.g. registers held by the ICO, codes of conduct, adequacy decisions etc can all change, so any reference in your document must be kept up-to-date

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Subject Access Requests

(Article 15)

Mandatory requirement:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data about them is being processed

  1.  Ensure a process is in place for individuals to request access to their personal data
  2.  Use the Subject Access Request Procedures in your toolkit as your template document. Review the content and customise any areas to make it specific to your business and processes
  3.  Review the provided SAR form and add your company details and DPO/person appointed to handle SAR’s
  4.  When acting on a request for access, have measures in place to verify the identity of the individual (if not present)
  5.  Make a copy of your SAR procedure and request form accessible to individuals (i.e. via your website, in your office/store, in email links, on written documents etc)
  6.  Make sure that all personal data is accessible within the 30-day timescale
  7.  Provide awareness training to all staff and specialist training to individuals who deal with any requests
  8. Where the request is made by electronic means, ensure you are prepared to provide the information provided in a commonly used electronic form (unless the individual requests otherwise)
Data must be provided free of charge under the GDPR (unless it is a duplicate request, when a admin fee to cover costs can be charged)

Your Data Protection Policy contains a list of the information that must be supplied to the individual – ensure that this list is available to the person responding to the requests

The SAR Procedures provided in your toolkit do not require much customisation as they cover all mandatory requirements, however you are free to alter the format and/or customise the content to suit your organisation’s requirements

The right to access personal information must be noted in your SAR Procedures and Privacy Notice (as per our templates)

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Subject Rectification Request

(Article 16)

Mandatory requirement:

The data subject shall have the right to request from the controller, the rectification of inaccurate personal data

  1. Your SAR Procedures & Privacy Notice templates contain guidance for your organisation and individuals on how to submit a data rectification request and how this should be processed
  2. Ensure you DPO/appointed lead is aware of how to process a rectification request (as per the procedures detailed in section 8.6 of your Data Protection Policy
  3. When acting on a request to rectify/complete personal data, have measures in place to verify the identity of the individual (if not present)
  4. Use your Information Audit to check if the personal data category in question has been disclosed to any third-party (i.e. processors), so that they can also be notified of the rectification request and change details
  5. Keep a record of any changes made to personal data (i.e. a change register, supplementing notes on file, account note etc)
  6. Schedule regular reviews of all personal data and systems to meet the accuracy principle (i.e. removing out-of-date info & correct inaccurate records & update out-of-date ones)
The right to rectify personal information must be noted in your SAR Procedures and Privacy Notice (as per our templates)

Ensure that staff have effective reporting lines to advise of any data quality issues (i.e. are the sales team getting out of date numbers, are accounting having to recheck bank details?)

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Data Retention & Erasure

(Articles 5, 13, 14, 15 & 17)

Mandatory Retention Requirement:

The period for which the personal data will be stored ensuring that the period is limited to a strict minimum

Condition Based Erasure Requirement:

  • The data subject shall have the right to obtain from the controller the erasure of personal data concerning them in the below instances:
  • the data is no longer necessary for the purpose(s) it was collected or processed
  • consent is withdrawn when processing is based on Article 6(1)(a) or 9(2)(a) & there is no other legal ground for the processing
  • the data subject objects to the processing & there are no overriding legitimate grounds for the processing or processing relates to direct marketing
  • the data has been unlawfully processed
  • the data must be erased for compliance with a legal obligation
  • the data is processed in relation to the offer of information society services to a child
  • the data is processed in relation to the offer of information society services to a child
  1. Review the Data Retention & Erasure Policy and Schedules to ensure that any storage periods comply with your own business requirements and industry regulations
  2. Add any retention periods to the schedule for business specific documents
  3. Review the disposal measures for personal data, software, hardware and records and customise to suit your actual procedures (if different)
  4. Review the Erasure Procedures provided in the Data Retention & Erasure Policy and ensure that you can follow them (or customise if you carry out a different process for erasing data)
  5. Provide the DPO/Lead with the conditions for erasing data as the ‘right to be forgotten’ is not an absolute right!
  6. Ensure that agreements for any processor that you use contain the requirement for them to erasure data on your instruction and that they have procedures in place for this
  7. Work with IT department (or for smaller firms implement a procedures) for deleting back-up systems and storage points
  8. Assign responsibility for retention and disposal to an appropriate person
  9. If using third-party disposal/secure waste supplier, ensure that you have an agreement with them and that you carry out due diligence to verify their services, compliance and the appropriate security measures
Data retention, disposal and erasure all go together, so we have provided a policy that adequately covers all 3 requirements.

Legal and statutory retention schedules for the UK have been added to the Retention Schedule found in the Data Retention & Erasure Policy. However, these should be reviewed to ensure compliance with your business sector and you should also include any retention period specific to your organisation

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Data Portability

(Article 20)

Condition Based Requirement:

  • The right to receive personal data from a controller, in a structured, commonly used and machine-readable format and to transmit that data to another controller is only required: –
  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means
  1. Review the procedures set out in the Data Protection Policy supplied with your Toolkit to ensure that they comply with your own processes for data portability
  2. For all data that complies with this right, ensure that it is available in a commonly used and machine-readable format (i.e. CSV files)
  3. Make sure that the data has sufficient protection and security measures applied based on the format used (i.e. encryptions, restricted access etc)
  4. Test your process for moving or transferring the data in the specified format, easily from one organisation to another
  5. Ensure that the process for data portability allows for the 30-dat timeframe (i.e. don’t have data in a non-common format and then rely on being able to reformat it on request, as this may cause unnecessary delays)
If the personal data you process is not based on consent and is not carried out by automated means, you do not need to comply with a request for data portability or to allow individuals to obtain and reuse their personal data for their own purposes across different services
Other Data Subjects Rights

(Articles 18, 21 & 22)

Conditional Based Requirements:

The controller shall facilitate the exercise of data subject rights

Right to restrict the processing of personal data is applicable:

  • Where an individual contests data accuracy, processing should be restricted until verified/corrected
  • Where an individual objects to the processing (where necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual
  • When processing is unlawful, and the individual opposes erasure and requests restriction instead

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority
  • direct marketing
  • processing for purposes of scientific/historical research and statistics
  1. Review the data subject rights procedures for restricted processing, objection and automated decision making as pre-written in the Data Protection Policy, to ensure that they are aligned with your actual (or intended) processes
  2. If you have any specific measures or steps for actioning these rights, document them in the policy
  3. Ensure that the processes you have committed to can be exercised with the 30-day timeframe
  4. Implement a process that will enable individuals to submit such requests to you (see section 5 of the provided SAR Procedures) (i.e. this should include online options where applicable as well as in writing)
  5. Develop a process and template for informing individuals when you decide to lift a restriction on processing
  6. Review your privacy notice(s) to ensure they inform individuals of their rights
  7. Provide training to staff so that they are knowledgeable about the data subjects rights and when they are applicable, as well as who to report such a request to
  8. Identify whether any of your processing operations constitute automated decision making
  9. If applicable, make sure that individuals have access to a person to whom they can communicate, provide an opinion and obtain an explanation of the decision, and where applicable, challenge it
  10. Ensure that any automated decisions do not contravene the restrictions in Article 9(2)
We have provided thorough and compliant Data Protection Policies, encompassing all rights and requirements. This naturally means that whilst some of the data subjects rights and procedures may not apply to you directly, we have included them anyway.

We have noted in the ‘Conditions’ box when you must comply with each data subject right, but for those rights that will not apply to you at any point, we still recommend retaining the procedures in the policy to demonstrate that understand each right and know why you are not obligated under it (if applicable)

For objections, you must stop processing personal data unless you can demonstrate compelling legitimate grounds for continuing, but they must override the interests, rights and freedoms of the individual. You can also continue processing if it is for the establishment, exercise or defence of legal claims

If you have disclosed the personal data to any third-party, you have an obligation to inform them of any right exercised by the data subject and to have them enforce the right where applicable

REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Data Breaches

(Articles 33 & 34)

Mandatory Requirement:

The controller shall document any personal data breaches and have data breach procedures in place. Processors’ must notify the controller immediately of any personal data breaches

However, breach notifications only required when:

The breach is likely to result in a risk to the rights and freedoms of the individual(s)

  1. Review the Data Breach Policy & Procedures in your toolkit to ensure that you will be following the process documented
  2. If you have any other procedures or templates relevant to breaches and specific to your business, include them in the provided document
  3. Ensure that all staff are aware of the breach procedures and what constitutes a breach
  4. Disseminate reporting lines for breach notification
  5. Create a Breach Register to log all breaches (no matter how small) and review regularly to check for patterns or reoccurring issues/areas
  6. Define a notification process for breaches that must be reported to the supervisory authority and data subject
Notification to the supervisory authority & data subject(s) must be within 72 hours of becoming aware of the breach, where it is likely to result in a risk to the rights and freedoms of individuals
International Transfers

(Articles 44-50)

Only applicable if transferring any personal data outside the EU
  1. Review the International Data Transfer Procedures provided to ensure that they follow the process you take when transferring data
  2. Add any safeguards, measures and controls as applicable to your organisations (i.e. detail the countries and reasons for transfer and what measures are applicable to each – adequacy decision, binding corporate rules etc)
  3. Ensure that the adequate safeguards and data security are in any written contract(s) using standard data protection contract clauses
  4. Implement measures to audit any documented security arrangements on a regular basis
  5. Assign the DPO/Lead with the task of monitoring the EC’s adequacy decision countries and any supervisory authority requirements for transfers
The International Data Transfer Procedures provided in your toolkit cover most of the requirements and conditions; however, transfers to non-EU countries or organisations is a bespoke process, so ensure that you customise this document and create any contracts, agreement or controls as required by Chapter V of the GDPR.
REQUIREMENT CONDITION OR PURPOSE ACTIONS NOTES
Technical & Organisational Measures

(Articles 24 & 32)

Mandatory Requirement:

Proportionate to their nature, size & scope, the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk & to demonstrate that processing is performed in accordance with the GDPR

The controller should adopt internal policies and implement measures which meet the principles of data protection by design and default

(Recital 78)

  1. Processes/systems obtaining personal data (forms, online, telephone etc), should be reviewed to ensure that you are only collecting the data you need for the processing purpose (i.e. optional fields in online forms are not necessary if they are optional)
  2. Aim to continually minimise the amount and type of data you process and document any audits assessing this to meet the accountability requirement
  3. Review all functions and business processes to identify any risks presented by processing, including processes or systems that could result in: –

a. Accidental or unlawful destruction of personal data

b. Loss, alteration or unauthorised disclosure of personal data

c. Unauthorised access to personal data transmitted, stored or otherwise processed

  1. Risks identified above should be recorded on your Risk Register and mitigating actions and operational/technical measures put into place to eliminate/reduce the risk
  2. Assess the security of the personal data you process (including storage and disclosure) and document what methods you in the use in the pseudonymisation and encryption of personal data
  3. Document in your policy the measures and processes for ensuring the ongoing confidentiality, integrity and availability of processing systems and services
  4. Review your Business Continuity (or Disaster Recovery) Plans and ensure that you have documented how you will ensure and restore the availability and access to personal data in a timely manner in the event of a physical, operational or technical incident
  5. Review the Internal Audit & Monitoring Policy & Procedures supplied with the Toolkit and use the monitoring register to document a schedule of regularly testing, assessing and evaluating the effectiveness of technical and organisational measures
  6. New systems, processes, functions, services and technologies should be assessed before implementation to ensure data security, privacy by design and that you can comply with an individual’s rights under the GDPR
The provided Data Protection Policy and (if applicable) Information Security Policies contain numerous pre-written controls and measures for protecting and security personal data. However, this area is specific to each organisation and, so you need to add any measures, systems, controls or procedures that you already have in place (or intend to put in to comp with the GDPR).

Guidance for assessing what measures to implement are provided on the left

Information Security Policy Mandatory Requirement:

The controller should adopt internal policies and implement measures which meet the principles of data protection by design and default

  1. Review you existing Information Security Policies (or use the ones provided if using the Toolkit) and ensure the policy covers key information security topics such as network security, physical security, access controls, secure configuration, patch management, email and internet use, data storage and maintenance
  2. Include the appropriate technical and organisational measures (mentioned in the above section) to ensure a level of security appropriate to the risk and your processing activities
  3. Communicate and make available the information security policy to all staff
  4. Add the policies to your Audit & Monitoring Register to ensure periodic checks for compliance with the policy and the GDPR
  5. Either deliver an information security staff training session or include operational and technical measures in your Data Protection Training
If you have purchased our full Toolkit, we have included a standard Information Security Policy as well as standalone policies in the Info Sec required areas. If you are using our GDPR Bundle, you should review your existing standard Information Security Policy and ensure that you have documented the appropriate measures
REQUIREMENT CONDITION OR PURPOSE ACTIONS
Data Protection Impact Assessment

(Article 35)

Mandatory Requirement when the processing is likely to result in a high risk to the rights and freedoms of natural persons:

  • systematic & extensive processing activities, and where decisions have legal effects on individuals
  • large scale processing of special category or criminal convictions or offences data
  • large scale, systematic monitoring of public areas (i.e. CCTV)
  1. Use the screening questions provided in your DPIA procedures to assess if any of your processing activities require a DPIA
  2. Any processing activities or technologies assessed as high-risk should be documented on your organisations Risk Register and should be passed through the impact assessment procedures provided
  3. The steps in the DPIA are easy to follow and flow in a chronological order. Ensure that you document all stages of the assessment and retain the records for each activity
  4. Where possible, put mitigating actions and measures into place to reduce the risk of the processing and then repeat the assessment until the risk is acceptable (as defined in the DPIA)
  5. Where risk reduce measures are unavailable or unsuccessful and you still have a legal requirement or obligation to carry out the processing, you must contact the Supervisory Authority for a review
Processor Agreements

(Article 28(3))

Only applicable if you use any third-party to process personal data of which you are the controller

Processing by a processor on behalf of a controller shall be governed by a contract or other legal act

  1. Identify any third-party entities who you use to process personal data on your behalf
  2. You should have a principle contract in place stating the service level agreement and terms under which your relationship is based
  3. A Processor Agreement template has been provided and this (or your existing) agreement should accompany or be appended to the existing principle contract
  4. The Processor Agreement must state at minimum: –

a. The subject-matter and duration of the processing

b. The nature and purpose of the processing

c. The type of personal data & categories of data subjects

d. The obligations and rights of the controller

e. That the processor:

i. cannot engage another processor without prior written authorisation from the controller
ii. processes the personal data only on documented instructions from the controller
iii. must inform the controller of any legal requirement to transfer personal data to a third country or an international organisation
iv. ensures that those processing personal data are bound by an obligation of confidentiality
v. implement appropriate technical and organisational measures to ensure a high-level of security, including but not limited to the pseudonymisation and encryption of personal data;
vi. ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner; a process for regularly testing, assessing and evaluating the effectiveness of the measures
vii. assists the controller in the fulfilment of their obligations
viii. deletes or returns all the personal data to the controller after the end of the provision of services relating to processing
ix. makes available to the controller all information necessary to demonstrate compliance with the GDPR
x. immediately informs the controller if they infringe the GDPR in anyway

5. Obtain evidence from each processor that they have the above requirements in place

Specific Business Guidance

Small & Micro Businesses Guidance:

These are business specific suggestions that may be suitable for many small & micro businesses. Due to your size and scope, guidance on HR departments and training your staff is often not applicable, so this guidance is tailored to those with only a few staff or sole traders.

Training – the Regulation guidance from the ICO and European Data Protection Board’s (EDPB) (formerly the Article 29 Working Party (WP29) refer to training staff and having sessions/workshops, however this is often not how small businesses find their training happening. You may choose to go on a ‘GDPR Training Course’ but can also document training as ‘reading articles on the internet’, ‘CPD’, ‘reviewing guidance materials’, etc. Your GDPR knowledge and training does not have to take the same form as larger organisations, so the key is to document what you are doing.

Auditing – The accountability requirement necessitates ongoing reviews and audits on your GDPR measures and procedures. For small business, this is often time-consuming and can seem pointless as you are using the measures and procedures daily, so know they are working. The key is ‘relative to your size & scope’ – you do not need an external auditor or to spend hours walking through processes you already complete daily. Pick a specific day each month or quarter and document your audit as you go through your usual tasks. Simply check that you are still following the written procedures and that those procedures are still fit for purpose.

Security – the smaller you are, the less you probably use in terms of security for your personal data. Whilst larger firms have encryptions, firewalls, cloud storage, disaster recovery and high-tech solutions; many small businesses use just one or two safeguarding measures. Security does not have to be costly or time-consuming. Simple measures like using good anti-virus & malware applications on all PC’s and laptops, keeping personal data encrypted (using software or on removable devices), locked filing cabinets, alarms and door locks, secure passwords. Even those working from their own home can implement most of those measures to security the data they process.

Consent – if you are relying on consent for processing data, even if this is only for a small mailing list where handful of those subscribers are individuals, you will need to comply with the GDPR in full, except for the Processing Activities Register and optional assigning of a DPO. Processing under consent means that data subjects have stronger rights in areas such as objecting to processing, data portability, erasure and restricted processing. No matter how few ‘individuals’ you are handling data for, you need to have procedures for them to exercise their rights, demonstrable security measures, compliance with the principles and documented evidence that you can and are complying with the Regulation.

Medium & Large Organisations Guidance:

These are business specific suggestions that may be suitable for many medium and larger organisations, with multiple departments and bigger staff sizes.

Department Reviews – If you have several departments (HR, Admin, Sales etc), it can be useful to complete many of the actions on this plan at a departmental level and then bring the data together at the end. Doing an Information Audit or recording Processing Activities for each business area will be a lot easier and more structured than a single person covering the whole company.

HR – if you have many employees, you will likely have a HR function. It is important that you review all employee related documents and templates (i.e. employee handbooks, grievance procedures, appraisals, sick leave etc) and ensure that they are GDPR compliant.  Many businesses spend so much time getting data protection right for their users and customers but forget that the GDPR applies to your employees as well. You may need specific procedures and forms for them to make rights requests.

Awareness – being big can be a compliance issue in itself! You need to assess your existing reporting lines, dissemination processes and communication functions. The senior management and supervisors may seem well versed in the GDPR and what their responsibilities are, but can you evidence that this information is reaching all levels in the business? For larger offices, use wall posted Privacy Notices, download our GDPR Infographs and have them printed to A3 as reminders, set-up a GDPR intranet – there are many actions you can take to make GDPR a focal point for all employees.

Suppliers – review you list of suppliers and recheck your due diligence measures. It is not just those third-parties being as for processing activities that need to be reviewed, but any organisations with whom you have a business relationship. If you have cleaners or contractors who carry out work for you, have you address their GDPR awareness and revised any confidentiality clauses?

Visitors – larger organisations often having visitors at their offices. Procedures for visitors should be documented in your Information Security policies, but you also need to review you sign-in book, ID badge process, restricted access, bringing their own devices, bag searches and confidentiality agreement.

Website – reviewing and updating website content is part of your GDPR obligations and come areas are already covered in this plan and the Regulation (i.e. Privacy Notices, SAR Procedures). It is worth reviewing your website content, fields on contact forms, Cookie Policy, access to complaint and SAR procedures etc)