A Reminder of the Basics and Ongoing Areas of Focus

With all the information available out there on GDPR, sometimes it can be difficult to find what you really need to know. This is intended to provide a useful ongoing quick reference and is also available on the Bridgforce blog page

A Reminder of the Basics

• The essence of GDPR is about keeping people informed about what data you have and how you are using it
• Best practice is to request consent for data processing rather than rely on legitimate interest – be prepared to evidence this (implied or specific)
• The key to reliance on legitimate interest is to establish the subject should ‘expect’ it and that clear notification was given
• Must not keep data longer than need it and must be able to justify legitimate need for data (per a specific retention policy and/ or legal grounds such as a contractual relationship or business correspondence)

1. Consider time, storage and purpose for all data types
2. Be particularly cautious of back-ups/ archives that may contain copy ID docs or other data types no longer needed – ensure these do not become ticking time bombs!
3. If a contractual relationship, define when the relationship is 'over', data retention periods should start at this point until limitations expire

• Privacy laws must still be fully considered in addition to GDPR
• Need to rely on one of 6 lawful bases for data processing, of which explicit consent is one and so is not required for all instances
• When appointing a DPO, demonstrate sufficient knowledge, resource, no conflicts of interest and independence (not afraid of bringing bad news)

1. Can be an individual, a body, part of a role or outsourced
2. Document the review and decision process of your compliance committee/ forum

• No prohibition on buying data but check the data has been lawfully provided for your intended use
• Contracts with 3rd parties should have an addendum/ question checklist confirming compliance and depending on answers may want evidence/ to audit

Key Next Steps Post GDPR Implementation

• Continue to clean up data archives/ back-ups (particularly non digital that may have been missed)
• Embed new practices – re-enforce with messaging on dos and don’ts
• Be prepared to identify, report and react quickly to any data breaches
• Monitor standards (inc. certification schemes) for company phones/ laptops with an associated audit schedule
• Ensure you have the following templates/ standard docs in your basic GDPR toolkit

1. Straightforward, easy to access guidance for the front line
2. A standard statement on data use for marketing
3. A 'consent' approach/ template
4. A data record that is maintained daily
5. Addendum to existing agreements/ contracts
6. Data breach process & templates

Key Elements of the Legislation (per ICO Guidance)