Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

Using templates! GDPR Help!

Tagged with gdpr, ico, data, free, freeadvice, gdprtemplate, easygdpr, gdprfree,
by Adam Brogden
in Blog

26-Mar-2018 10:08

Starting your GDPR project can be quite daunting. You’ll probably spend hours reading and re-reading the ICO web site and then possibly start trawling through the GDPR regulations. Is there an easier way?

Let me be upfront – we sell document packs and consultancy time! However, other document packs are available and you could just use available material and do it all yourself. This blog attempts to define a step by step list that will help regardless of which pack you buy or if you just DIY. There is no defined way – no ‘correct way to do this' but this sequence might just help.

Before you start you should get a big board and write:
What do we do?
What data do we collect?
Why do we collect it?
What is our legal basis?
Who needs access to it?
Where do we keep it?
Who do we share it with?
How long do we store it?

Our approach is a practical approach, focusing on the most important aspects of GDPR. This approach assumes you don’t need a DPO and that you don’t transfer data outside Europe. If you handle sensitive data you have other considerations, these are not covered in enough detail here. This approach aims to complete the simple processes as quickly as possible, you might argue that it is all important and requires careful consideration, I wouldn’t disagree, but some aspects are pretty generic and can be completed quickly. If you have time later you can come back to these.

So, here we go! Here is a step by step guide that works for us.

Include the boss:
Hold a meeting with key stakeholders to ensure everyone understand that GDPR is important and is brought into this process. This is important even if this is you and your partner discussing this over coffee. It is important that the organisation understands that this is important and is willing to put in the time and effort required.

Produce a strategy document:
This can be high level or simple, as long as it expresses your commitment to the GDPR process. Don’t dwell on this – a high level statement of your commitment and plan is all you need. This is an important document and needs to be completed at the start of the process. You never know when you might be asked for this.

Old documents:
Dig out any documentation that might help – you may have a Data Protection document, Organisation Chart, IT/Systems infrastructure diagram, Supplier list etc…. Print these and have them handy for the later stages.

What do you actually do?
Now – for the fun part. This approach might look like we are starting in the middle of the GDPR process but this works for us. One of the key GDPR principles is that you understand what data you have. The easiest way to do this is to start by defining what you do as an organisation. Take out the organisation chart you found earlier and use this as the basis of your investigation. For example – you might have functions such as:

a. HR
b. Finance
c. Marketing
d. Operations
e. Procurement
f. Marketing
g. IT / Web / Social
h. Customer Service

You then take this list and break it down into what each unit does. ie.

a. Email
b. Contact us
c. Newsletter sign-up
d. Social media
e. Text Marketing
f. Outbound calling

You are going to use this list to look at your data in more detail, review your relationship with suppliers and partners and also look at your IT so take time with this stage.

Data, data, data:
For each of these functions you then define what data is involved in this step. This is where your key questions come in. Look at your big board. Look out for sensitive data, financial data, and sneaky unstructured data.

By the time you’ve done this you will have [gone mad] completed your data discovery and process definition phases. Your ICO templates are ideal for this. You don’t need to buy a pack to get a hold of these templates.

Suppliers and Partners:
At this point a good next step is to look at your supplier and partners. Make a list! The key here is to identify suppliers / partners / anyone that you send data to – regardless of how you send it. Think carefully about this, you might be surprised.

You’ll need to send the appropriate Supplier Due Diligence / Supplier Processing Agreements / Processor Compliance Questionnaire forms to these and look at your contracts – consider if they are a Data Processor for you and whether you need to seek legal advice on your contracts. GDPR requires you to demonstrate due diligence and have contracts in place between controllers and processors. These are mandatory requirements. Don’t ignore these.

Same process for your customers – watch out for anyone that sends you data. Are you a Data Processor for them? Due diligence might just be required for your customers and they should be asking you for appropriate reassurances.

IT / Systems/Applications:
Last but not least your IT. This is usually a big area so take your time. Make sure you document your systems, servers, desktops, storage, interfaces, 3rd party software, report generators, SaaS, emails products, cloud based applications, telephony, and anything else you can think of. This is vital! Key things to watch out for include tricky external drives, pen drives, use of own devices, personal email addresses. Also, any telephone, CCTV etc….

How you document this depends on your company but maybe start with your applications and work down the stack:
a. Desktops and devices used
b. Applications [your main company systems]
c. Access control mechanisms
d. Desktop products used
e. Email services used
f. 3rd party applications
g. Interfaces
h. Cloud based apps – yours and 3rd party
i. Any SaaS
j. Security software used
k. Servers
l. Server security, firewalls, encryption, backups
m. Internet connectivity
n. Storage / external drives

Now for a few big ones:
You could complete a Data Protection Risk analysis at this point – very useful if you have complex IT or processes.

Document your Lawful basis for processing decision – this is vital!

Privacy policy and Consent forms should now be possible since you know what your company does and where you collect data.

Project Impact Analysis – this is a useful way to complete a risk analysis of your IT.

Policies and procedures:

OK – so now you are in good shape. You’ve analysed your organisation, processes, data, IT, suppliers and customers. You are on the home stretch. The next few documents will now be much easier.
a. Bring your own Device policy
b. Remote access policy
c. Clear Desk policy
d. Information Security Policy
e. Data Retention and Erasure Policy
f. Data Classification Policy

Now for a few easy ones – these are pretty standard templates and simple processes. Review these and make sure your organisation knows how to work with these processes.
a. Subject Access Request form
b. Data Breach Management
c. Complaint Handling Policy and forms
d. Staff Training policy and records

Legal advice:
Make sure you seek legal advice for any contracts and seek technical advice where you need to secure your systems. This is a key part and worth the money.

Are we there yet?
Now, take a breath. GDPR is not just about completing these documents, it’s about understanding what data you collect, how you store and process it, when you delete it and also about respecting the rights of the data subjects in everything you do. Review these documents as a set and make sure you haven’t missed anything. Invest the time and effort now.

You are all done! Well... for now. GDPR should be part of your organisation for ever more. GDPR is now part of how you operate. Make sure you establish an on- going risk analysis and review process so your standards don’t slip.

SARs, Complaint Handling and Breach Management are mandatory processes – you need to make sure you have people and processes in place to handle these.

Good luck all!