GDPR - Diary of a Data Champion: Chapter 2
Chapter 2 – GDPR: where do you start?
The first thing I did was to attend a briefing arranged by my local branch of the Federation of Small Business (FSB). This was excellent: the FSB provided a speaker from their own legal advisors and the room was packed. It was a lot to take in however the FSB provided a lot of guides, documents and templates on the members’ area of their website, which I’ve found to be invaluable. I also obtained guidance notes from appropriate professional bodies I’m a member of, such as the International Coach Federation (ICF), which again were very useful.
The first task was to do a data mapping exercise. This is simply to understand how personal data enters the organisation, how it is processed, and where it is stored. I did this exercise with our Webmaster. As our coaching community handles some health data, which falls under the definition of ‘sensitive personal data’. I decided that we would carry out a ‘Data Protection Impact Assessment’, also known as a ‘Privacy Impact Assessment’. This builds on the data mapping to look at vulnerabilities and risks. It also prompts you to look at ways to reduce risk through improved protective security measures and improved procedures. This was a useful exercise as it highlighted the key IT and information security measures required. It also flagged up who needed to do what follow-on work – most of which fell to me to develop the policy and procedures.
The shape of our response to GDPR began to take shape in my mind. I saw that we needed some detailed written procedures that would be easy to follow. We also needed a policy document. It soon became clear to me that our ‘Data Privacy Notice’, our public statement of our commitment to privacy, would be our GDPR policy.
I began work on the procedures first. I copied and pasted numerous sections from the ICF guidance, and the FSB guidance (which was legally privileged and for internal, non-profit use only) into ‘bite sized’ sections and created a working GDPR Register. This provided prompts to the user in the form of tables to be completed in the event of occurrences such as a data request or a data breach. It also provided a forward planner by setting dates for future reviews. This was a detailed piece of work I did over several sessions. I left the most difficult section till the end: the record of our data processing activities. This was where we would need to be clear on the legal basis for processing personal data, how we were applying the principles of GDPR and how we were respecting the rights granted to individuals under GDPR. Another aspect of GDPR is not only the requirement to be compliant, but also the requirement to be able to demonstrate compliance – the ‘Accountability Principle’ hence the importance of this audit trail of everything from policies and procedures to staff training.
In chapter 3, I’ll probably look at the legal basis for processing personal data. I say ‘probably’ because I haven’t got there yet and maybe some other aspect of GDPR will take priority!