What internal documents do I need for GDPR?

The ICO is all about evidence and attitude when it comes to small business. So, this little beauty is to help you understand the internal documents you need for GDPR and why.

You need to accept how important it is that any evidence your organisation has to support this is vital. Whether it is on track for GDPR compliance, or not, lies within your policies, procedures and other internal documents. 

Your privacy policy and terms and conditions are the external documents people see. So these need to match what is inside the organisation as the ICO would be more interested in those internal documents.

What’s most important isn’t a document

The ICO has made it absolutely clear that organisations that do not make any effort to comply with data protection laws will be those that will be penalised the most. 

To start on your road to compliance there is a simple test to take on the ICO website to see whether you need to register your organisation with the ICO or not.  There are some exceptions, which are probably really only understood by the ICO themselves, and not paying the fee will lead to financial penalties up to £4,350.00.

What are the internal documents?

There’s a multitude of responsibilities and you need policies to match all of them. Some of these may not apply to every organisation, because of how they are run, but here’s a quick checklist:

1. Data Audit
2. Data Policy.
3. Information Security Policy.
4. Marketing Policy.
5. Social Media Policy.
6. CCTV Policy.

Let’s look at them one by one.

What is a data audit?

After you’ve taken the test and paid your fee (if necessary) now it’s time to understand what data your organisation processes and how you should classify it.  It will either be Personal Information, Special Category Information or “other” information (and maybe information on children) and the way to know which it is it to complete a data audit.

Once you know how much Personal and/or Special Category information you process you can start to write your policies. Some skip this step, but it is always good to make sure that what you believe you do is backed up by evidence (the ICO will definitely agree with that one).

The trinity of policies most often referred to for compliance with GDPR are; a data policy, a marketing policy and an information security policy.  Each one sets out, at the highest level,

the rules for how your organisation will act.

What is a Data Policy?

A data policy is what governs how and why you collect personal data (including Special Category data), how long you keep it for and how it will be disposed of.  It is the cornerstone of your internal documents.

Personal information can be obtained and stored physically or electronically and you need to identify which process uses which style of storage.  It also needs to be recognised that personal information can be gained from recordings, i.e. voice data, through photos and videos, i.e. image data, as well as through texts, letters, emails, online forms, order history, etc, i.e. personal data.

Common elements are :

1. Why you are collecting the data.
2. Confirmation of the purpose of the relationship (this links to the legal basis of processing), for each process – if necessary.
3. The controls employed to ensure the correct sharing of personal information.
4. The controls employed to ensure that marketing activities can be correctly controlled.
5. How the personal information will be stored (for each process – if necessary).
6. How long personal information will be retained (for each process – if necessary).
7. How the personal information will be destroyed.

What is an Information Security Policy?

This policy sets out how, in general, any data you hold will be secured.  This would include any additional controls related to personal information. To protect you from cyber criminals this is the only one of your internal documents that will dictate whether you are successful or not.

You need to consider all forms of data storage and how they would be protected. Let me remind you of how I have categorised them, voice data, image data, personal data.

Considerations here are:

1. What type of anti-virus software is required? not whether it is required.
2. How to construct passwords.
3. How to determine the correct level of security (remember this for each form of personal data).
4. Frequency of password review for systems containing personal information.

What is a Marketing Policy?

This policy sets out the rules relating to all marketing, but will need to cover any direct marketing, like telephone, email, text and post. This will need to reiterate points from your data policy (so make sure you cross-check them when you think you’re done).

It should make clear determination about the processes used in general marketing and those using direct marketing. A statement about whether “bought in lists” will be used is also useful. If you do use them a statement about checking the validity of them, and how you will utilise them in your marketing, should be in this document.

Of course, this is where mention social media as this is part of your marketing.

What is a Social Media Policy?

This is not used by many small and micro businesses, but to their peril. The most common mistake is the sharing of images without consent, or without explaining why they wish to use it. There are also implications of posting an image online that need to be explained, especially when using images of children, like a lot of clubs and association do.

The most important thing to with this policy is to link it with your HR policies. Some professional bodies have a requirement to post profiles (including pictures) on their website to confirm their validity. So, two things. Your website is a means of electronically communicating the products and services online, so it’s marketing. As it is available to anyone who cares to click on your web address it is categorised as social media.

What is a CCTV Policy?

For those that use CCTV the must have is a document as to why your organisation has it.  If you occupy a building that installed it and you do not control it that has to be noted too.

Either way if you do not create a CCTV policy you cannot use it, in anyway, to reprimand any non-visitors while they are on your premises. For this reason this policy needs links to your HR policies too.

What happens Next?

It is easy to forget that once this part is done that you have to, at least, check that your procedures and other documents match the high-level controls in your policies.  These do not have to be long and can cover a single process, like renewing the SSL certificate in your website.  Don’t forget some of the larger financial penalties the ICO has imposed have been because the controls relating to this type of process have not been followed correctly.  You could say that there are 189 million reasons to get this kind of thing right.

Other controls that are less frequently required, particularly for the smallest organisations are:

1. Data Protection Impact Assessment.
2. Data Protection by Design.
3. Policy and procedure review.

I know I say this a lot, but at the end of the day GDPR is about attitude. Any organisation that emphasises the need to boost income, or profit, over the safety of personal data is going to be on dodgy ground when it comes down to an investigation by the ICO.

Get organised. Have your own light bulb moment, understand your obligation and be sure that your route to compliance with this important legal requirement is well on it’s way. We are happy to help with that.

There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided. Information specifically about data protection compliance can be found at https://eyebray.com/category/gdpr/ .

If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.