RMPs and GDPR ‘Accountability and Governance’ evidence
“ To what extent can an agreed RMP act as evidence of compliance with GDPR obligations around accountability and governance?”
Article 5(2) – Accountability Principle “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability ').”
Article 5(1) – GDPR Principles Personal data shall be: (a) processed lawfully, fairly and in a transparent manner – ‘lawfulness, fairness and transparency’ (b) collected for specified, explicit and legitimate purposes; not further processed in a manner incompatible with those purposes – ‘purpose limitation’ (c) adequate, relevant and limited to what is necessary – ‘data minimisation’ (d) accurate and, where necessary, kept up to date; every reasonable step taken to ensure this – ‘accuracy’ (e) kept for no longer than necessary; may be stored for longer periods for archiving, research and statistical purposes – ‘storage limitation’ (f) processed with appropriate security; protected against unauthorised or unlawful processing, and accidental loss, destruction or damage – ‘integrity and confidentiality’
ICO guidance on measures you can take • adopting and implementing data protection policies (where proportionate); • taking a ‘data protection by design and default’ approach - putting appropriate data protection measures in place throughout the entire lifecycle of our processing operations; • putting written contracts in place with organisations that process personal data on our behalf; • maintaining documentation of our processing activities; • implementing appropriate security measures; • recording and, where necessary, reporting personal data breaches; • carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests ; • appointing a data protection officer (where necessary); • adhering to relevant codes of conduct and signing up to certification schemes (where possible).
Article 30 – Records of Processing Activities • the name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer). • the purposes of your processing. • a description of the categories of individuals and categories of personal data. • the categories of recipients of personal data. • details of your transfers to third countries including documenting the transfer mechanism safeguards in place. • retention schedules • a description of your technical and organisational security measures.
Article 30(5) – Exemption Organisation with fewer than 250 employees are exempt, but not if: • Processing that is likely to result in a risk to the rights and freedoms of data subjects. • Processing that is not occasional. • Processing that includes special categories of data or personal data relating to criminal convictions and offences. Working 29 Party – not a heavy burden ICO has produced templates
ICO - other documentation • information required for privacy notices, such as: – the lawful basis for the processing – the legitimate interests for the processing – individuals’ rights – the existence of automated decision-making, including profiling – the source of the personal data; • records of consent; • controller-processor contracts; • the location of personal data; • Data Protection Impact Assessment reports; • records of personal data breaches; • information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018, covering: – the condition for processing in the Data Protection Act; – the lawful basis for the processing in the GDPR; and – your retention and erasure policy document.
Keeper’s Model Plan: Element 9 Evidence currently required: • Privacy notice • Data protection policy or evidence of adequate processes in place • Guide to submitting SARs • Registration with the ICO The Keeper would not expect a detailed list of records that might be affected by data protection legislation
Is a specific element on data protection required? Evidence of compliance will also appear under: • Element 5: Retention schedule • Element 6: Destruction arrangements • Element 8: Information security • Element 11: Audit Trail • Element 14: Shared information
What additional evidence can the Keeper reasonably expect authorities to provide ?
Possible evidence - Data protection policy - Privacy notice - Registration with ICO - Guidance on making SAR and exercising other rights - Appointment of Data Protection Officer - Information Asset Register - Other records of processing activities - Retention and Disposal Schedule - Data sharing agreements - Contracts and data processing agreements - Data Protection Impact Assessments - Security measures - Recording data breaches
What are your views?
Recommend
More recommend
