Covid-19 – GDPR Series – Part 2 – Policies and Procedures

This article is part of a series of articles that the lawyers of Reddy Charlton will issue during May to mark the two year anniversary of the introduction of the GDPR. Our intent is to refresh some of the measures introduced and also to consider them in the current Covid-19 related business environment.

Following on from our introductory refresher article (Part 1), we now wish to identify and explain the key policies and procedures which businesses and organisations should have in place to demonstrate compliance with GDPR.

What are the eight basic rights of GDPR for individuals?

Under the GDPR, individuals have the following rights in relation to their personal information:-

1. to access their personal data
2. to be ‘forgotten’ and for their data to be deleted on request
3. to data portability from one service provided to another
4. to be informed of data gathering
5. to have information corrected when it is out of date or incomplete
6. to restrict processing of data
7. to object on the processing of their data for direct marketing
8. to be notified if there has been a data breach

What policies and procedures should organisations have in place?

The introduction of GDPR forced all entities which process personal data, whether as controllers or processors, to review or adopt policies and procedures in accordance with the new rules.

As part of the GDPR compliance process it is important for organisations to document the reasoning behind its decision and its policy in relation to certain matters and also to document the steps or procedures that it will take to implement those policies.

The policies and procedures need to balance the rights of data subjects against the needs of the organisation to process and use that data. GDPR calls for a risk based approach. Accordingly, policies and procedures are not one size fits all. Each organisations needs to look at its particular circumstances and adopt policies and procedures accordingly. Some of the factors to be considered include:-

1. the personal data collected
2. how it is collected
3. why it is collected
4. how it is used
5. how long it is retained
6. who is it shared with
7. what the data subject is told in this regard.

The policies and procedures serve as the framework for how an organisation will manage data protection. They demonstrate that the organisation has considered the issues and sought to address the risks and achieve that balance between data subject rights and business needs.

Unfortunately, data protection compliance is not as simple as completing a checklist of policies and procedures. There is no definitive checklist that will ensure compliance of your organisation. This is an evolving process that needs to be monitored on an ongoing basis. As technology or business practices change, so too must your policies and procedures.

Of course polices and procedures are all very well but are of little value to protect data subjects and scant defence against DPC investigation if they are not in fact communicated to all relevant employees and implemented and enforced on the ground.

The following list sets out some of the key policies and procedures that will apply to the majority of organisations.

General organisation policies, procedures and records:-

• An organisational data protection policy – this sets out what the organisation wants to achieve and how they intend to achieve it.

• Privacy Notice – This notice which should be available to data subjects. It can be published on the website of the organisation. It should explain in simple language how and why various types of personal data will be processed.

• Employee Privacy Notice – This notice will explain how the business intends to process personal data of employees.

• Data Retention and destruction Policy & Procedure – This policy details how long a particular type of personal data will be kept and the procedure for monitoring those time lines and deleting or destroying data once they have expired.

• Security Policy – This should set out the organisational measures the organisation will take to protect the security of the data processed by the organisation.

• Training Record – organisations are required to keep their employees up to date with their obligations and should retain a record of that training.

• Data Processor Agreement – where an organisation shares personal data with any third party it is required to have a written agreement with that third party in relation to the processing of the personal data by that third party.

• Data Subject policies, procedures and forms:-

– Data Subject consent form – if the data collection relies on consent, this needs to be recorded. If the personal data is that of minors, parental consent will be required.

– Subject access request policy & procedure – setting out the methodology of how subject access requests will be dealt with.

– Subject Access Request form – having a form will make it easier for data subjects and will guide them on the information that you require.

• Data Breach policies, procedures and forms:-

– Data breach response and notification policy and procedure – how will the organisation handle a data breach

– Data breach register – a register of all known breaches should be maintained whether notifiable to the authority or not

– Data breach notification to supervisory authority form

• Data protection Impact Assessment (DPIA) – this is required to be carried out in certain circumstances where the type of processing is likely to result in a high risk to the rights and freedoms of individuals. It is mandatory where an organisation is involved in is systematic monitoring of data subjects on a large scale, processing of special categories of data such as health information or where there is automated decision making. This should assess the particular activity and how it is conducted, the protections that are in place in order to asses whether it is permissible within the terms of the legislation.

What impact could Covid-19 have on these policies and procedures?

As the current pandemic has resulted in a significant number of employees now working from home, organisations must consider the impact this may have on the privacy and protection of data subjects.

Employees are accessing data from their homes where potentially other individuals in the home could gain access. Employee devices may not be as secure at those in the office. As more meetings and general conferences are now being conducted via video, organisations must ensure that these video-calling services are operated in a secure manner.

Organisations therefore need to consider how their policies and procedures need to be adapted and ensure that employees are advised of any changes and what is expected of them in this regard. New security measures that may be deployed by businesses in light of covid-19 and personal data include the regular changing of passwords, implementing a strong firewall and using antivirus software.

It is crucial for organisations to identify potential risks from the outset and measures should be implemented without delay in order to address these. Furthermore, organisations need to consider to what extent it needs to communicate any changes to affected data subjects. Effective communication amongst staff is extremely important to ensure this pandemic does not undermine GDPR compliance within organisations.

How can Reddy Charlton help?

During this Covid 19 crisis, Reddy Charlton Solicitors are eager to support, encourage and guide your business. If you have any queries or seek further information on Data Protection or any other area of commercial law, please contact Elaine McGrath at emcgrath@reddycharlton.ie