GDPR North Wales – Are you missing the point?
The Data Protection Act started life in the 1970’s when the Freedom of Information Act started to become a force to be reckoned with in the data world. By 1995 the EU was starting to get full on with the EU Data Directive and by 1998 the Data Protection Act was in force in the UK.
the problem wit hall of these Directives and Acts was that they are exactly that, a directive can be considered a guide, an Act is a law in the UK.
Joe Public, along with business owners found the law difficult to follow, biased towards the company and generally a mess when came to dealing with new technology.
The Big Mistake
The GDPR is not just about Websites and website forms, cookies and the data collection at the website. So many people seem to think that because they have relevant warnings on their website that they are compliant – they are not.
The GDPR is definitely about the complete process – that is EVERYTHING that may identify a data subject that is stored within a business, on paper or electronically. It is about how the data is created, stored, processed and eventually deleted. Companies, organisations and charities all need to decide on the appointment of key personnel into roles for the management of data.
The General Data Protection Regulation GDPR
The GDPR is a regulation that has been created by the EU and adopted throughout the EU including the UK.
The regulation is focused on protecting the individual data subjects rights. We are all Data Subjects, that is individuals who have data that belongs to us, but may be in the hands of others.
Seven Key Principles
The GDPR has 7 key principles that can be used for any technology used to control the processing and storage of data:
- Lawfulness, Fairness and Transparency: You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
- Purpose: You must define the purpose of using the data and this needs to be documented.
- Data minimisation: Reducing the amount of data held to the minimum required to perform the purpose. This includes reducing some data field.
- Accuracy: Similar to the old DPA, the data must be accurate and up to date.
- Storage limitation: Reduce the time that data is held documenting these limits and ensuring that data is completely removed (including from backups) after the retention period.
- Integrity and Confidentiality: This is all about security. You must apply appropriate security measures to protect the data and reduce the potential for a breach.
- Accountability principle: The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
These principles are simple enough until you start to look at the business processes, once you have identified the different elements or data fields that are stored, you can start to look at risk assessment based on how it affects the company and then how it affects the data subject. This means assessing what it would mean to the data holder and the data subject in the event of a breach.
Each of the principles will generate policy and process documents covering the way that data is manipulated.
So how much documentation is there?
We’ve written GDPR documentation for quite a few companies and charities, in each case we have created 60 plus documents that include data analysis documents, data process flow diagrams, process and procedural documents.
Where it is true that a one man band may only need one main document, they will also need procedures and methods of recording the results of data subject requests, data deletion and also data breaches. If you employ staff then their data is also part of GDPR and you need confirmations about GDPR compliance from suppliers and third parties that you may share data with.
Getting help is Easy.
Contact us by completing the form below and we will call you for an informal chat about how we can help you.