On the 25th May 2018 the new General Data Protection Regulations (GDPR), will come into force. Despite ongoing BREXIT negotiations, due to end in March 2019, the Information Commissioner’s Office (ICO) has implied that the UK will enact GDPR.
Companies outside the EU
If your Company actively trades within the EU and stores, processes or shares EU citizens’ personal data, then GDPR does apply to you.
Compliance and documentation
One of the primary rules is that under GDPR Process activities MUST be documented.
To comply, you MUST write and maintain a set of Policy, Process and Plan (PPP) documentation. It will ensure you have evidence to support your claims should the ICO investigate.
Note that the Information Commissioners Office (ICO) could demand to see the written documents
What do you need to consider?
As a technical writer, with experience writing compliance documentation, what can I tell you?
There is a lot of advice available on the web regarding GDPR. However, there is one piece of advice many may have overlooked. That the project could be a lengthy and costly exercise. The review process is continuous because the PPPs will need updating in the years to come.
During a recent conversation with an employment agent, he made a point which many businesses are overlooking and that is the projected costs of complying with GDPR. Drafting in Project Managers, (costly) Consultants and Business Analysts to manage the process will be expensive. The budget needs to be set accordingly.
How to get started
My Blogs are clear, writing one document, when there is a substantial list to be completed from scratch to sign off is a lengthy process. Even if your department has documents that can be reused it will still take a long time. Compliance projects are manually intensive and documenting GDPR will need dedicated resources.
My experience could be necessary to help you write and manage those documents. The sooner you contact me, the sooner we can start the road to compliance.
- Create a standard template with – Statement, In Scope, Version Control, Change History, Distribution Lists, Roles and Responsibilities
- All PPPs must adhere to GDPR – include in the document ‘The purpose of the document’, ‘The Scope’ and add a list of the GDPR compliances relevant to the PPP you are writing and explain the WHY the company are complying along with the HOW the company will comply.
- The documentation must be relevant to your business. Generic documentation outlining a PPP will NOT suffice
- Complete the documentation – do not start and leave a document incomplete then sign off; an incomplete document could fail a Compliance Audit
- Maintain the detail – do not half explain a process or policy
- Structure the documentation to avoid duplicating information over several documents
- That the documentation may need to be ISO 27001 compliant
GDPR, or Bust? Time is running out and if you have not made up your mind how to proceed, then you need to do so quickly.
Some useful snippets such as Exceptions
If you have
- more than 250 employees, you must document all Processes
- less than 250 employees, only document `Processes that:
- if the processing could result in a risk to the rights and freedoms of data subjects, or
- the processing is not occasional, or
- the processing includes special categories of data as defined in GDPR Article 9.
The Main GDPR Articles
- Statements of the information you collect and process, and the purpose of processing (Article 13 of the GDPR).
- The Records of consent from data subjects or relevant holder of parental responsibility (Articles 7 and 8 of the GDPR).
- The Records of processing activities under your responsibility (Article 30 of the GDPR).
- Documented processes for protecting personal data, such as an information security policy, cryptography policy and procedures, etc.
Finally, I leave you with the following:
- Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
- Failure to comply with the will lead to penalties. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but under GDPR penalties could be more than €20 million or 4 percent of annual turnover (whichever is higher).