A good place to start is to look at what data you hold, why you hold it and what you do with it.
- What data you collect/hold
- How you collect the data
- Why you collect/process it
- What you do with it
- Who you share it with
- How long you will keep it for
- The lawful basis for you processing this data (check out the X legal bases for processing)
- How your data subjects can exercise their rights (such as updating or erasing their data or withdrawing their consent – this should be as easy as giving their consent)
- Your legitimate interests for collecting or processing the data (if applicable)
- The data controller’s contact details and the contact details of the Data Protection Officer
- If you transfer data to third countries – how this is safeguarded
- If you use automated decision-making you need to be transparent about this and how decisions are made
- How a data subject can lodge a complaint with the supervisory body
You need to consider how to give this information to your data subjects: Under the GDPR, privacy information can be given orally, in writing or electronically. Probably the easiest way is to publish this on your website. However, you must ensure that you point people to this at the time you collect their data.
What does the ICO advise?
According to the Information Commissioner’s Office (ICO) the information you provide to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child;
- free of charge.
At Trident Assurance Services (TAS) we are currently advising many organisations across the UK regarding GDPR. Please send us an email on firstname.lastname@example.org or call 0118 324 9444. We would be delighted to hear from you and provide qualified advice.
Written by Alison Haynes, Assurance and Compliance Adviser, Trident Assurance Services and qualified GDPR practitioner.
We are running GDPR briefings for businesses to give you the fundamentals and practicalities of data protection and GDPR. Contact us to book a briefing.