The GDPR EU regulation requires you to maintain records of all your personal data processing activities. In order to do this you need to identify what types of personal data you hold, where it came from, who you share it with, the reason you need it, how you maintain accuracy and how you keep the information secure. Here are the records you need in order to show you comply with GDPR.
Types of Personal Data
Record the types of personal data you hold. What kinds of individuals do you hold data about? For instance, are they adults or children? What categories of data do you hold – health data? Profession? Home insurance company used? Under GDPR EU regulation there are rules for specific kinds of data. If you hold sensitive personal data you may need to employ a data protection officer (DPO), and you might need to complete a privacy impact assessment (PIA). A PIA is a tool to identify and reduce the risk to privacy which includes misuse of personal information.
Sensitive personal data includes a person’s:
- racial or ethnic origin
- political opinions
- religion
- membership of a trade union
- health
- sex life
- criminal activity
Personal Data Sources
Where did you obtain your personal data? Record whether the information came from the data subject or another source.
Personal Data Sharing
Under GDPR EU regulation it’s mandatory to record who you share personal data with and your reasons for doing so. Remember, you cannot share personal data with a third party without the explicit consent of the data subject. If you share personal data with other countries you must document which ones are outside the EEA. Personal data can only be shared with non-EEA countries if they have a suitable data protection law.
You should have a policy in place which evidences what you do when you receive a request for personal information from the data subject and from a third party. Don’t share everything you hold about people, but only the aspects necessary to achieve the objective. Document and employ a ‘need to know’ principle so that only employees in your organisation and other organisations who need the personal information to do their job have access to it. When you share data you must document what safeguards are in place to protect the data in-transit. Under GDPR EU regulation, data subjects have the right to see their records and to have their records erased – this should be incorporated into your policy.
Reasons for Holding Data
You need to be able to justify why you hold and process personal data; therefore erase any data that you don’t need. You must detail how you use the data and for what purpose. If you use personal data for automated profiling then you must complete a privacy impact assessment (PIA) if the processing will result in legal effects or other have another significant impact on the individual. You should have documented evidence that you’ve informed the data subject how their information will be used so that they can make an informed decision. Personal data can only be held and used for reasons given to the organisation and mustn’t be kept longer than for the registered purpose. GDPR EU regulation requires organisations to be fully transparent about how they use data.
Accurate Information
When data subjects contact you with up-to-date personal information you must change it and stop sending information to the old details. Moreover, under GDPR EU regulation you have to be proactive in contacting individuals to make sure that the information you hold about them is correct – you need to be able to prove your efforts in your documentation. If you have shared information with another organisation then it’s mandatory to provide them with the update you’ve received.
Information Security Policy
Organisations must be able to show how they comply with GDPR EU regulation by having a data protection policy. Depending upon the size and nature of your organisation you might have a single ‘information security policy’, or individual policies that cover different aspects of personal data protection, such as a cryptography policy, a privacy impact assessment policy or a sensitive personal data policy. There must be documentation to show the technical security measures that you have in place. Technical security covers computer systems but also things like disposal of old computer hard drives and the physical security of the building e.g., CCTV and door locking systems.
Final point: organisations have the responsibility to maintain accurate records of all the personal data processing activities that take place. These records need to be in writing as well as in electronic form in order to meet GDPR EU regulation.
NDC has introduced a range of essential GDPR training courses to help you raise GDPR awareness within your organisation, implement an information security management system to achieve GDPR compliance and conduct internal audits to maintain compliance.
Get in touch to discuss your GDPR compliance needs.
NDC News 