As we mentioned in the last article documentation is core to your compliance with GDPR. What you need to document depends on whether you have m
As we mentioned in the last article documentation is core to your compliance with GDPR.
What you need to document depends on whether you have more than 250 employees:
- If you have 250 or more employees, you must document all your processing activities.
- There is a limited exemption for small and medium-sized organisations. If you have less than 250 employees, you only need to document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve the processing of special categories of data or criminal conviction and offence data.
So, all sizes of business will have an obligation to document some of their data processing activities – it is likely that you have activities that you do on a regular basis (I.e. not occasional)
The ICO have published some good guidance on Documentation which can be found here
Privacy policies and notices
- Privacy policies cannot be generic – they must be specific to the organisation and how they collect, store and process personal data.
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
Your privacy notice myst contain the following information :
- The lawful basis for the processing – one or more of the bases laid out in Article 6(1) of the GDPR.
- If applicable, the legitimate interests for the processing – these are the interests pursued by your organisation or a third party if you are relying on the lawful basis for processing under Article 6(1)(f) of the GDPR. You could also include a link to the record of your assessment of whether legitimate interests apply to the particular processing purpose.
- The rights available to individuals regarding the processing – e.g. access, rectification, erasure, restriction, data portability, and objection. The rights vary depending on the lawful basis for processing. Your documentation can reflect these differences.
- If applicable, the existence of automated decision-making, including profiling. In certain circumstances you will need to tell people about the logic involved and the envisaged consequences.
- If applicable, the source of the personal data. This is relevant when you didn’t obtain personal data directly from an individual.
There are a number of resources for privacy policies – SEQ Legal has a number of templates which can be tailored and have guidance notes to help you complete them.
You are required to maintain comprehensive documentation on your processing activities – this is outlined in Article 30 of the GDPR and on the ICO website