Data Audit
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 came into force in UK law on 25th May 2018. The GDPR/DPA 2018 are far more structured than previous legislation and require more documentation to demonstrate compliance. All the concepts from the previous legislation have been brought forward into the new laws, but are strengthened in the new laws to make it easier for the individual to keep control of their data in a more modern and technological environment. Everything was carried forward after Brexit – so now we have UK Data Protection legislation, including UK GDPR.
PERSONAL DATA – is defined in the legislation as any information relating to a natural person. “Special Category data” is categories of data within the classification that relate to subject matter such as “physical/ mental health or condition” or “political opinion”. Special category data does NOT include financial information.
“PRIVACY BY DESIGN”: This concept is about looking at an organisation internally as a “standalone” and how data are processed. Then making all policies/privacy notices etc unique to the business, but containing elements as required by ICO. Under the previous system, this was “best practice” whereas under UK GDPR it becomes a legal requirement.
The business collects personal data/ special categories of data about:
– clients – Clients’ family/friends – suppliers – peers
Data are held in manual and electronic formats – security measures to protect the data are in place. Electronic data are held on a compliant cloud system and local server. There is also a portable hard drive.
PRIVACY NOTICES: These are the new term for “Privacy Policy” or “data protection statement”. There should now be one “main” Privacy Notice drafted and published on the website as the business’s main communication with the “outside” world. There are elements which the ICO expect to be included from their guidance.
Then “Short” privacy notices should appear on anything produced by the business which collects personal information, including emails.
Jill also has Facebook and Instagram accounts linked to the website as well.
DATA RETENTION: This is an important feature of GDPR compliance. The business should – in theory – consider drawing up a Data Retention Schedule. This should identify types of data, where in the business it resides and how long it is kept for – this depends on the reason for collection and processing and how long the business has a need for retention. This document will be held internally, but will help if a Subject Access Request is received. The reason I say “in theory” is that as a sole trader, Jill knows where all the data are held and there are backups in place which can be accessed if necessary by another.
SUBJECT ACCESS REQUEST: The ICO has been conducting data audits for quite a while now. They look for a procedure being in place to handle any Subject Access Requests .
ACCOUNTABILITY : this is new documentation under the GDPR and is not intended to contribute to the “Transparency “ of the business’s compliance to the outside world. However, this document should be drafted and held within the business should the ICO ever request it. There is guidance from ICO on concepts they expect to be included.