The General Data Protection Regulation comes into effect on the 25th of May 2018 and represents significant changes to your responsibilities around the collection, handling and sharing of personal data. In order to comply with this new regulation, companies are required to develop a GDPR statement that reflects their processes and procedures regarding personal information.
Alongside the fact that you are required to have one, clients and customers may well ask to see a GDPR statement from their suppliers. It is therefore essential that you spend some time within your broader GDPR preparation focussing on getting this right – it doesn’t have to be long, your statement will generally fit on an A4 page.
But what do I need to include in my privacy statement?
Although it’s easy to get bogged down in the detail of the GDPR, it’s relatively simple to include everything that you need within your updated privacy statement. Below is a list of all elements that you will be required to outline within this new document:
1. Describing your business activity
A small amount of information should be added to your statement that describes your business activity.
2. What data you collect from people and why
Hopefully by this point you’ve conducted a data audit of your organisation and have a good understanding of where you’re collecting data, from whom you are collecting it and why. This needs to be detailed within you policy. For example you may be collecting emails and names when individuals sign up to your newsletter or receiving preliminary business information (e.g. addresses, names and telephone numbers) when contacted by potential clients for the first time.
3. How you process your data and where it is held
It is now your responsibility to notify your customers, clients and partners how you process their data and where you hold it. You should detail where in the world you store data (e.g. Is it in the cloud or stored in a data centre in the UK?) and what steps you have taken to secure it.
4. Who you share your data with – third party data processors
You probably rely on external organisations to handle your data – for instance you may use Google Analytics to understand how your website is being used and a service like Mailchimp to take care of your newsletter subscriber list. As a data controller, it is your responsibility to check whether these organisations are compliant with the GDPR and move to a new provider if they are not. Once you have done this you need to detail who these third party data processors are and what data you share with them. If you don’t share data then say so.
5. How long you hold data
Under the GDPR you are no longer able to hold data for vast amounts of time unless you can demonstrate the need to do this. For this reason you need to outline how long you will hold specific types of data. For instance you may hold on to enquiry information for 30 days before securely disposing of it.
6. Who your data officer is (and details)
Another requirement of the GDPR is to nominate a Data Officer. You should include this person’s name, email and contact details within your new policy document so that individual’s that have queries about your policy have a named person to contact.
7. Include any certifications you currently hold
It is best practice to include any certifications you hold with regards to data protection or cyber security. These may include things like IS0 27001 and Cyber Essentials.
8. User rights and how to exercise them
You are now required to inform users of their data privacy rights and how they are able to exercise them. These rights include: The right to be informed, The right to rectification, The right to erasure, The right to restrict processing, The right to data portability, The right to object and The right to access. It is important to include the process that an individual would have to follow to exercise any of these rights – usually writing to a specific address and a named contact is appropriate.
If you have any queries about how you need to adapt your processes around data handling to achieve GDPR compliancy, ManSys will be happy to help. Get in touch!
Disclaimer: This article was prepared by Mansys UK as non-authoritative guidance. Neither Mansys UK or the author accepts any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.
11th November 2019
3rd November 2019
29th October 2019