GDPR – Getting it right

  • Home
  • GDPR – Getting it right
  • 01
    Nov 17

GDPR – Getting it right

Tags : 

GDPR Accountability QuoteThe General Data Protection Regulation (GDPR) includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis their significance.

You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the Information Commissioner’s Office (ICO) has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.

Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.

What is the accountability principle?

The new accountability principle in requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

You must:

  • Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
  • Maintain relevant documentation on processing activities.
  • Where appropriate, appoint a data protection officer.
  • Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
    • Data minimisation;
    • Pseudonymisation;
    • Transparency;
    • Allowing individuals to monitor processing; and
    • Creating and improving security features on an ongoing basis.
  • Use data protection impact assessments where appropriate.

Record processing activities

As well as your obligation to provide comprehensive, clear and transparent privacy policies, if your organisation has more than 250 employees, you must maintain additional internal records of your processing activities.

If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:

  • processing personal data that could result in a risk to the rights and freedoms of individual; or
  • processing of special categories of data or criminal convictions and offences.

You must record the following information.

  • Name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer).
  • Purposes of the processing.
  • Description of the categories of individuals and categories of personal data.
  • Categories of recipients of personal data.
  • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
  • Retention schedules.
  • Description of technical and organisational security measures.

You may be required to make these records available to the ICO for the purposes of an investigation.

Data protection by design and by default

Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.

Data protection impact assessments

Data protection impact assessments (DPIAs) (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.

You must carry out a DPIA when:

  • using new technologies; and
  • the processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes (but is not limited to):

  • systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
  • large scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms.
  • large scale, systematic monitoring of public areas (CCTV).

A DPIA should contain:

A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.

  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security and to demonstrate that you comply.

A DPIA can address more than one project.

Do you need a Data Protection Officer?

Under the GDPR, you must appoint a data protection officer (DPO) if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.

Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

The DPO’s minimum tasks are:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

You must ensure that:

  • The DPO reports to the highest management level of your organisation – ie board level.
  • The DPO operates independently and is not dismissed or penalised for performing their task.
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.

An existing employee may act as the DPO as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. You can also contract out the role of DPO.

The GDPR does not specify the precise credentials a data protection officer is expected to have but it does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.

News Archive

More Information (PDF)

Smarter Technologies Ltd, Unit 1 Broadfield Industrial Estate, Seymour Street, Heywood, OL10 3AJ | Company No.: 07172781 | VAT No.: 794 7491 68

 Request a Quote

What our clients say:
Bill LeesBill LeesThe Housing Link (2003)
Smarter Technologies make so many complicated things sound clear and understandable in a way that I completely understand.
Andrew BeeputAndrew BeeputThe Bond Board
Smarter Technologies really understand the pressure charities are under and consider this when making recommendations. They saved us so much money – I can’t put a price on their help. It was invaluable.
Richard BoydRichard BoydRed Flame Marketing
I found the IT support for my small business to be excellent. Everything is clearly explained in non-technical language; prompt service and very affordable. Will be recommending Smarter Technologies to other businesses. (In fact, I already have!).
Dave BagleyDave BagleyUrban Outreach (Bolton)
Thanks again for the swift response from Smarter Technologies to our IT needs recently. All is working perfectly.
Nikki PriceNikki PriceInstil Bio (UK) Limited
Thank you very much for your help on a Saturday! I can’t tell you how very grateful we are to you for helping us out with this last minute request and doing it so promptly.
Graham EvansGraham EvansThe Housing Link (2003)
We have a tight budget and Smarter Technologies has enabled us to ‘work smarter’ and provide fast assistance to those who need it. It has played an integral role in the success of this charity.
Maura JacksonMaura JacksonBackup North West
Smarter Technologies have looked after our IT for well over 10 years. They are fabulous, knowledgeable, hard working, thorough, reliable, good value for money and proactive.
Lynne SprigingsLynne SprigingsBolton Young Persons Housing Scheme
As a small charity it’s really important for us to have reliable and responsive IT support, which Smarter Technologies supplies.
Tracey PeaceTracey PeaceRamsbottom Kitchen Company
The Smarter Technologies team are like extended members of our staff and always go the extra mile. The team come in early and stay until they finish – they even lock up for us.
Jim GowmanJim GowmanYMCA Black Country Group
I want to pass on the thanks received today from across all parts of the YMCABC teams about how robust the IT systems have been. We have had to get to grips with remote working and with this pandemic it has come into its own.
Sharon HamerSharon HamerThe Housing Link (2003)
Thank you for all your advice, help and support. I would not hesitate to recommend Smarter Technologies.
David Lackner-SmithDavid Lackner-SmithThe Sanctuary Trust
It’s great being able to rely on such prompt service from Smarter Technologies, it really gives us peace of mind knowing that our IT support is provided by a team that will go the extra mile.
Andrew JennerAndrew JennerRCD Leaflets
Please pass my thanks on to the team as the whole process from quote to install was unbelievably thorough, efficient and smooth.
Jane HaywardJane HaywardYMCA Black Country Group
The service I have received has been excellent, from the initial meeting where the process was explained to managers, right down to coming out to go through SharePoint with me.
Jim GowmanJim GowmanYMCA Black Country Group
Just to say to the Smarter Technologies team, thanks for a very smooth transition into the 21st Century of IT with our upgraded equipment. All aspects of the installation have received positive feedback from day one.
prevnext

© 2011-2024 Smarter Technologies Ltd  |  Privacy Statement

%d bloggers like this: