1.1 Information you hold
Your business has conducted an information audit to map data flows.
You should organise an information audit across your business or within particular areas. One person with in-depth knowledge of your working practices may be able to do this.
This will identify the data that you process and how it flows into, through and out of your business, for example to any agreed sub processors or back to the controller.
Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).
Having audited your information, you should then be able to identify any risks.
1.2 Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.
Once you have completed your information audit, you should document your findings, for example in an information asset register.
Doing this will also help you to comply with the GDPR’s accountability principle, which requires you to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.
You must record:
If you have less than 250 employees you only need to keep these records for processing activities that:
You may be required to make these records available to the ICO on request.
Step 2 of 4: Accountability and governance
Your business has an appropriate data protection policy
The GDPR requires you to show how you comply with the principles.
A policy helps you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy.
The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance.
You should make sure that management approved the policy and that you publish and communicate it to all staff. You should also review and update it at planned intervals or when required to ensure it remains relevant.
2.2 Data Protection Officer (DPO)
Your business has nominated a data protection lead or Data Protection Officer (DPO).
It is important to make sure that someone in your business, or an external data protection advisor, takes responsibility for data protection compliance.
You may need to appoint a DPO. Any business can appoint a DPO but you must do so if you:
You may find it useful to voluntarily designate a DPO even when the GDPR does not require you to.
The DPO should work independently, report to the highest management level and have adequate resources to enable your organisation to meet its GDPR obligations.
The DPO’s minimum tasks are to:
You should document the internal analysis you carried out to determine whether or not to appoint a DPO unless it is obvious that your business is not required to designate one.
2.3 Management Responsibility
Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR.
Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture within your business for data protection.
They should take the lead when assessing any impacts to your business and encourage a privacy by design approach.
They should help to drive awareness amongst all staff about the importance of exercising good data protection practices.
2.4 Information risks and data protection impact assessments
Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
You should set out how you manage information risk.
This task could be driven by the controller you are providing services for and you should ensure you work with them so that all information risks you identify are fed back on a regular basis.
You need to have a senior staff member with responsibility for managing information risks, coordinating procedures that mitigate them and logging and risk assessing information assets.
You should have appropriate action plans in place to mitigate any risks you have identified that are not tolerated or terminated.
Before the start of a new contract with you, the controller should complete a Data Protection Impact Assessment (where the circumstances require one to be completed). As processor you should be ready to provide your input to this assessment and work with the controller to mitigate any risks identified. Having an established information risk management framework in place will assist you to do this effectively.
2.5 Data Protection by Design
Your business has implemented appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities.
Under the GDPR, processors have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. This is referred to as data protection by design and by default.
You should adopt internal policies and implement measures which help your business comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.
2.6 Training and awareness
Your business provides data protection awareness training for all staff.
You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required.
Consider specialist training for staff with specific duties, such as information security and database management and marketing.
Regularly communicating your key messages is equally important to help reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).
2.7 Data processing contracts
Your business only processes data on the documented instructions of a controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and your business.
When processing personal data, you must have a written contract in place between you and the controller, or another legal act must apply.
The contract is important so that both parties understand their responsibilities and liabilities.
The GDPR sets out what you need to include in the contract, including the requirement only to act on the written instructions of the controller.
Although the controller is ultimately liable for overall compliance with the GDPR and for demonstrating that compliance, as processor you have some direct responsibilities and liabilities of your own.
If you fail to meet any of these obligations, or act outside or against the instructions of the controller, you may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
In the future, you may wish to consider looking at approved codes of conduct or certification schemes to help you and the controller to demonstrate your suitability as a data processor. However, they are not yet available.
Standard contractual clauses may be provided by the European Commission or the ICO, and may form part of such a code or scheme. However, they are not yet available.
2.8 The use of sub-processors
Your business has sought prior written authorisation from the controller before engaging the services of a sub-processor, and there is a contract in place.
You may only engage another processor (sub-processor) if you have the prior written authorisation of the data controller.
You must put in place a contract with the sub-processor (or other legal act) that imposes specific obligations on the sub-processor.
As processor you remain liable to the controller for the performance of the sub-processor’s obligations.
The prior authorisation to use a sub-processor may be specific or general. However, if general, then you must tell the controller in advance of any changes you intend to make regarding the addition or replacement of other processors, so that the controller has the opportunity to object.
2.9 Operational base
If your business operates outside the EU, you have appointed a representative within the EU in writing.
Under the GDPR, if your business is located outside the EU, and you offer products and services to citizens in the EU, then there is a requirement for you to appoint (in writing) a representative within the European Union.
You may only transfer personal data outside the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
2.10 Breach notification
Your organisation has effective processes to identify and report any personal data breaches to your controller.
The GDPR introduces a duty on all processors to inform controllers of a personal data breach “without undue delay” after becoming aware of it. It is therefore important that you have internal and external breach identification and reporting procedures in place.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.
Step 3 of 4: Individual rights
3.1 Right of access
Your business has a process to respond to a controller's request for information (following an individuals' request to access their personal data).
Individuals have the right to obtain:
You should have robust procedures in place and assign responsibility within your business to recognise and deal with these types of requests in a timely manner, regardless of whether they are sent to you or to the controller.
If you have identified and documented all the data you process it will make it easier to locate and retrieve specific information as requested by the controller. Information must be provided to the requester by the controller without delay and at the latest within one month of receipt of the request, extended by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). See our guidance for more information on how to calculate the due date for a response.
If the request is made electronically, you may be required by the controller to send them the information in a commonly used electronic format.
You should set out timescales for your response to a request for an individual’s information within the written contract with the data controller.
3.2 Right to rectification and data quality
Your business has processes to ensure that the personal data you hold remains accurate and up to date.
Individuals have the right to have personal data rectified if it is inaccurate or incomplete.
You should have processes in place to enable you to respond to a request from a controller to rectify inaccurate data within one month of the request.
It is good practice to place a note on any record to indicate that the accuracy of the information is under dispute and why.
If you have disclosed this personal data to others, you must contact each recipient and inform them of the restriction on the processing of the personal data -unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.
You should regularly review the information you process or store on behalf of a controller to identify when you need to do things, eg correct inaccurate records. Records management policies, with rules for creating and keeping records (including emails) can help.
Conducting regular data quality reviews of systems and manual records will help you ensure the information continues to be adequate for the purposes of processing under your written contract with the controller.
You should also ensure that you complete regular data quality checks to provide assurances on the accuracy of the data your staff are inputting.
If you identify any data accuracy issues, you should communicate lessons learned to staff through ongoing awareness campaigns and internal training.
See the guidance on our website for more information on how to respond to these types of requests.
3.3 Right to erasure, including retention and disposal
Your business has a process to routinely and securely dispose of personal data that is no longer required, in line with the agreed timescales as stated in your contract with the controller.
Individuals have the right to be forgotten and can request the controller (and therefore you also as processor) erase their personal data when:
You should pay special attention if there are existing situations where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request) especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent.
These requests will be received initially by the controller. However, if you also process and store this data, then you need to have appropriate procedures in place to ensure you erase it permanently, and within one month of receipt.
You should have standard contract clauses covering erasure, data retention and disposal. You should ensure that these conditions are met. A written retention policy will remind you when to dispose of various categories of data, and help you plan for its secure disposal.
See the guidance on our website for more information on how to respond to these types of requests.
3.4 Right to restrict processing
Your business has procedures to respond to a data controllers’ request to supress the processing of specific personal data.
Individuals have a right to block or restrict the processing of their personal data.
When processing is restricted, you are permitted to store the personal data, but not process it further.
You can retain just enough information about the individual to ensure that you respect the restriction in the future.
A controller may request that as their processor you restrict the processing of personal data if:
You should action these requests within one month of receipt. See our guidance for further information relating to responding to these types of requests.
3.5 Right to data portability
Your business can respond to a request from the controller to supply the personal data you process in an electronic format.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
They can receive personal data or move, copy or transfer that data from one business to another in a safe and secure way, without hindrance.
The right to data portability only applies:
You must provide information without delay and at least within one month of receipt. Your controller may receive such a request and so you should be able to supply them with any applicable data you process on their behalf to enable them to fulfill the request.
You must provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.
If the individual (and so the controller) requests it, you may be required to transmit the data directly to another business where this is technically feasible.
See ICO guidance for further information relating to responding to these types of requests.
Step 4 of 4: Data security
4.1 Security policy
Your business has an information security policy supported by appropriate security measures.
You should process personal data in a way that ensures appropriate security.
Before you can decide what level of security is right for you, you need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs.
Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise.
If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical measures to secure the data.
The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have.
A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures you will be implementing and the roles and responsibilities staff have to keeping information secure.