Data processing inventory
This details where, how and why you process personal data which needs to be updated regularly to reflect new business processes/systems.
Legitimate Interests Assessment form
The gold standard for holding data is through consent, but in some cases, you will be unable to get consent. If this is the case, you must evaluate the information you hold to see if it falls into the legal interest category. If there is a legitimate interest in retaining the data such as contact details for sending a customer their invoice, then this won’t require consent.
Records retention policy
Under the new regulations, you can no longer hold data indefinitely. So, you will need to create a strategy to document each data type you own and when you will remove that data.
Employee privacy statement
Under the new regulations, you now have to update your employment contracts, or have a separate policy, to show how you will process and store their data. It is best to get this countersigned by the employee as this will act as consent for you to hold their data and prove documented evidence should be ever be required.
Employee subject access request form
Employees now have the right to request copies of the information you hold on them. It is good practice to make these forms available to your employees, so requests can be dealt with using a standard format.
Response to employee subject access request
If you are going to have a standard way for employees to request the data you hold on them, then it’s probably a good idea to have a standard response form, this way you can show a consistent approach when an inspection occurs.
If you share data with third parties such as subcontractors or other organisations, it is a good idea to have a process agreement which details how you will both secure and process the data.
Third Party subject access request form
Anyone you hold data on now has the right to request copies of their information you keep. It is good practice to make these forms available via your website, so all requests are received and dealt with using a standard format.
Response to Third Party subject access request
If you are going to have a standard way for third parties to request the data you hold on them then again, it’s probably a good idea to have a standard response form to maintain a consistent approach.
Subject access record for third parties and employees.
It is best practice to record any access requests so that you have an audit trail. Having this record ready in anticipation will not only show your expected process but also remind you to log these requests correctly.
Data breach record
A data breach record allows you to keep track of any breaches that may have occurred in the course of your regular business, and it is best practice to record all events even if the data was on an encrypted device.
We have a third party provided GDPR form pack which we have used for our internal GDPR documentation. We have secured an agreement to be able to supply this pack to our customers under license. It Currently costs £299+VAT. We can also help with completing the forms, and as always, we will only charge for the time we spend helping.
We Do Your IT Limited is an IT Support Company based in Bristol that offers service and computer support differently.
We Do Your Communications Limited is a Telephone and Broadband Company based in Bristol that offers service and telephonesupport differently.