Key Documents your Company Needs to Demonstrate GDPR Compliance

Under the UK General Data Protection Regulation (GDPR) there are hefty fines for non-compliance, of up to 4% of global annual turnover or £17.5 million, whichever is the higher. Data protection is therefore an essential area on which organisations must focus and work towards being able to demonstrate compliance with applicable laws.

Personal data is information that uniquely identifies an individual and could include a name, contact details, an IP address, or profile data. We have listed below the key documentation which we would expect a company to have in place when processing and collecting personal data.

Essential Documents
To demonstrate compliance from a HR perspective and safeguard personal data, we would recommend the following documents are implemented (this relates to employees and contractors):

1. Internal data protection policy: One of the most important documents, this sets out how your company deals with and treats personal data, the lawful basis for its collection and what it is used for. It shows an active step towards ensuring compliance with the GDPR to demonstrate that you have internal procedures in place to deal safely with personal data.
2. Employee privacy notice: This mandatory notice, to be sent to your UK employees and contractors, sets out what personal data you hold about them, how you process it and the legal basis you have for processing it. You should also consider implementing a separate privacy notice for candidates for use in recruitment.
3. Employment contract review: Data protection matters must be adequately covered in your employment contracts for UK employees.
4. Third party service contracts concerning employees: If the personal data of your employees is processed by third parties, for example pension providers, these contracts should be reviewed to ensure they reflect GDPR requirements.
5. Data Subject Access Right (DSAR) procedure: Data subjects (employees/customers etc) are entitled to make requests under the GDPR for access to the data you hold about them and there are strict timeframes/steps to comply with. You should have an internal procedure in place to deal with DSARs.
6. Retention and deletion policy: Personal data under the GDPR must only be retained for as long as it is reasonable to do so. You should record the length of time certain data is held and when/how it is erased.
7. Data breach management plan: This deals with the procedure for handling actual or suspected data breaches and ensure compliance with the prescribed timelines involved as well as reporting requirements.
8. CCTV policy: If you operate and use CCTV in your office, a CCTV policy is essential. This will set out how the CCTV is operated and for what purpose, who has access to the footage and how long the footage is retained for.
9. Record of Processing Activities (RoPA): A RoPA is mandatory for businesses with more than 250 employees and is recommended for any business processing personal data. The document records, among other things, the types of data processed, which data subjects this relates to, how the data is collected and whether it is shared with others.
10. Data Protection Impact Assessment (DPIA): It is recommended that you carry out a DPIA when processing large scale data or implementing new systems that are dealing with data. It provides a structured framework for you to identify and assess the associated risks of a specific project, for example, when introducing a new HR system.
11. Data sharing or processing agreement: To be between your entity and any other subsidiary with which you are sharing personal data. You will need to ensure you have technical and organisational safeguarding measures in place within each entity to protect any data being transferred or exchanged.
12. Standard Contractual Clauses (SCCs): This is a strict legal requirement when transferring personal data from the UK (or EEA) to a country outside of the UK or EEA, to safeguard personal data moving to countries where data laws may be less protective, such as the US. If there is an ‘adequacy decision’ in favour of that third country, then SCCs are not required (e.g., New Zealand and Switzerland). The SCCs will link to the data sharing or processing agreement.
13. Training materials: You must ensure any employees that handle personal data receive training on the topic. This should also be documented.

From a commercial perspective in relation to customer data, we recommend the following:

1. Website privacy policy: This is a consumer-facing policy that notifies website visitors about how you collect, use, store and share personal data. Providing data subjects with such information is mandatory under the GDPR.
2. Cookie policy: Unless cookies are strictly necessary, you must obtain consent to use them. The cookie policy provides data subjects with information on the cookies you use on your site and their rights in relation to them.
3. Website terms and conditions of acceptable use: These terms will deal with access to and use of your website under English law. The document itself does not cover data protection matters (though will link to your Privacy Policy, mentioned above) but it is always recommended for inclusion on any website to ensure your company’s rights (including intellectual property rights) are protected.
4. Third party contracts: as noted above, you may need to amend contracts to deal with GDPR when dealing with third parties.
5. Data processing agreement (DPA): you may require a DPA with third party service providers who are processing personal data on your behalf (or vice versa) to govern the responsibilities and obligations and ensure data protection. You may also need SCCs to link to these if the data is being transferred to a country outside of the UK and/or EEA.

Other Considerations
In addition to the above, you must check whether you are obligated under the GDPR to appoint a Data Protection Officer (DPO). You will need a DPO if you are an organisation that: (a) is a public authority; (b) carries out large scale systematic monitoring of individuals; or (c) carries out large scale processing of special categories of data or data relating to criminal convictions. Even if this is not mandatory, someone within your organisation should be appointed to oversee the handling of data protection matters and to act as a point of contact for any data protection-related queries or complaints.

Finally, you may need to register with the Information Commissioner’s Office (the UK regulator) as a processor of personal data. A fee is payable dependent on your company’s size.

What about the EU?
Although the above focuses on the UK, the same applies for companies handling the data of EU data subjects and the same documentation should be implemented to show an active step has been taken to comply with the EU General Data Protection Regulation.

If you require assistance in implementing the above documentation or have a question about data protection generally, please get in touch.

Madeleine Rhodes email: mrhodes@redfernlegal.com