The GDPR requires you to document the types of personal information you hold and what you do with it. This article outlines the responsibilities and describes an Excel template we have developed to hold the information.
The General Data Protection Regulations (GDPR) and the associated Data Protection Bill are about respecting individuals’ fundamental rights and freedoms, in particular their right to the protection of personal data. The obligations regarding the protection and processing of personal data apply to all organisations that hold personal data – commercial and non-profits – big and small.
Naturally it’s difficult to protect an individual’s data if you are unsure of what data you hold, how you hold it, where it came from, how you keep it updated and who you share it with.
The Information Commissioner recommends organisations conduct an information audit to find out and document the personal data you have and, article 30 of the regulations requires you to maintain a record of processing activities under your responsibility. This article describes the type of information you (as a data controller) might be holding and the range of processing activities you need to document. We conclude with an overview of the Excel workbook we have developed to help you marshal the required information.
Documenting the personal data you hold
The regulations require the following information to be documented:
- the name and contact details of the controller, i.e. the name of your organisation, the name of a third party you may be working with that jointly controls personal data and the person responsible for data protection in your organisation.
- the purposes of the processing, such as payroll, staff management, recruitment, direct marketing, sales etc;
- a description of the categories of individuals and of the categories of personal data. The various categories of individual whose personal data you hold could include staff, volunteers, prospective candidates, prospects, customers and business partners. Categories of personal data for staff could include contacts, pay, tax, bank account, pension, holiday, and contract details and for customers could include contact and contract details, purchase history and lifestyle.
- the categories of organisation with whom the personal data have been or will be shared including those in third countries or international organisations. Recipients could be HMRC, employment referees, or processors such as accountants or marketing companies.
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards;
- where possible, the duration you expect to keep the data for prior to deletion for the each category of data you hold. Examples include retaining information for HMRC and pension records for 6 years post-employment or customer information until end of the relationship;
- where possible, a general description of the technical and organisational security measures. This could include things such as encryption and / or access controls.
In addition, the ICO suggests that you include other required information in this database as below. However, we suggest you add this as you proceed through your GDPR preparation tasks.
- The basis you have chosen for lawful processing against each category of data;
- The lawful basis for processing any special categories of data;
- Whether a Legitimate Interest Assessment is required and has been conducted;
- How individuals’ rights apply to each processing category;
- Whether Data Privacy Impact Assessments are required and or / completed;
- The location of where data is stored.
A good way to assemble all this information is to bring it together in a spreadsheet. You will then have a database that clearly records your activities under the GDPR as a means of delivering on your regulatory responsibilities.
How we can help
We have developed an Excel template for the database complete with guidance and examples on how to fill in the information and links to relevant sections of the regulations. We do know this can appear an awesome task, so we would be delighted to offer a helping hand as you go through the process.