DATA PROTECTION

Services

PII Data Mapping

To comply with the EU General Data Protection Regulation (GDPR) and the Data protection Act 2018, organisations should map their data flows to assess privacy risks. Effectively mapping data requires an understanding of the flows of data, and the ability to describe it and identify its key elements. PII Data Mapping helps to identify the appropriate technical and organisational safeguards for your personal data, as well as giving you a thorough understanding of the data your organisation processes, where it is held and how it is transferred.

We are able to map out your data flows on your behalf to ensure compliance and effective data management.

Privacy Policies

The GDPR specifies what you need to tell individuals when you collect personal data from them and what you are required to tell people when you obtain personal data from another source. This includes:

  • The name and contact details of your organisation
  • The purposes of the processing and the lawful basis for it
  • The categories of personal data obtained
  • The retention periods for the personal data
  • The rights available to the individuals in respect of the processing, including the right to lodge a complaint
  • The source of the personal data

The provision of other types of information depends on the particular circumstances of your organisation, and how and why you use people’s personal data. We can provide a customised privacy policy to cover all third party data processed by your organisation.

Data Breach Procedures

A personal data breach can result in the destruction, loss, alteration, unauthorised disclosure of or access to personal data, which can be a risk to the rights and freedoms of individuals. Data breach procedures work to ensure that any breaches are investigated, the cause is identified and the necessary action is taken to contain the breach and prevent re-occurrence. If unaddressed, data breaches can result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to the individual.

We can provide a customised data breach procedure which will cover the following legal requirements:

  • Identify and contain the data breach
  • Determine if personal information has been breached
  • Assess the sensitivity of released information
  • Conduct a risk assessment and determine the cause of the breach
  • Identify stakeholders that will require notifying, based on the investigation outcome
  • Implement corrective action and prevention

Data Subject Access Requests Procedures

Individuals have the right to access personal information held by an organisation or to challenge information accuracy. When an individual access request is received, the company must respond within one month so it is important to be prepared for these requests . An Access Request procedure describes the process to be followed when a customer, employee or any other interested party submits a personal information access request.

We can advise on and implement a procedure that will:

  • Document the receipt and tracking of the request
  • Document the search process
  • Compile and prepare the release of documentation
  • Release data and document copies
  • Correct the information, if requested

Privacy Impact Assessments

Under the GDPR, organisations are required to carry out data protection impact assessments, in order to evaluate the risks to individuals before processing personally identifiable information. This process is carried out whenever the collection of, use of or disclosure of personal information is part of a service, business process, project or system.

The purpose of the Privacy Impact Assessment (PIA) is to review and propose changes to a service, business process or system in order to identify potential privacy implications and risks. The PIA should include the measures and safeguards in place for mitigating the identified risks.

We are qualified privacy professionals and therefore able to carry out these PIA’s on your behalf and price and action plan to address any privacy issues.

Data Processor Agreements

Whenever a controller uses a processor, there must be a written contract or other legal act in place, to ensure that both parties understand their responsibilities and liabilities. Contracts also help to demonstrate compliance with the GDPR and the Data Protection Act 2018. If a processor uses another organisation (i.e. a sub-processor) to assist in the processing of personal data, there also must be a written contract in place with that sub-processor.

We can produce an agreement on your behalf setting out:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The controller’s obligations and rights

Data Transfers Outside the UK

The GDPR restricts the transfer of personal data to countries outside the EEA and to international organisations. In order to make international transfers in accordance with the GDPR, it must either be covered by an adequacy decision, or by the appropriate safeguards.

The Schrems II decision recently declared the European Commission’s Privacy Shield invalid, on account of invasive US surveillance programmes. This has made transfers of personal data on the basis of the Privacy Shield Framework illegal.

In light of this decision, those who have previously relied on the Privacy Shield to transfer personal data from their subsidiaries to a U.S. parent corporation, U.S. affiliates, or to U.S.-based service providers now need to use an alternative data transfer mechanism. For most businesses, a standard contractual clause (SCC) is usually an appropriate safeguard.

We can advice on the setting up of the appropriate transfer mechanism depending on the personal data being transferred and the destination.

Data Transfers Between the EU and UK

The GDPR is an EU regulation, and therefore will no longer apply to the UK now we have left the EU. However,  the principles of GDPR are retained in domestic law and will also be applicable when dealing with EU nationals personal data within the UK.

There will be two sets of rules to consider when transferring data between the EU and the UK: the UK rules on transferring data outwards and the impact of EU transfer rules on those sending personal data into the UK. In both cases, data can be transferred if it is covered by an adequacy decision, an appropriate safeguard or an exception.

Technical and Organisational Information Security Measures

A key principle of the Data Protection is that personal data is processed by the appropriate technical and organisational measures. In brief, taking these measures requires the consideration of risk analysis, organisational policies, security of processing, and physical and technical measures.

Putting security measures in place ensures the confidentiality, integrity and availability of an organisation’s systems and services, as well as the personal data it processes. Such measures must also enable organisations to restore access to and availability of personal data in the event of an incident.

Certification to ISO27001 and/or Cyber Essentials is an excellent way to demonstrate to your customers that these measures are in place and are independently verified. We are able to help you successfully achieve both these certifications. 

Data Protection and Information Security Training

A Data Breach can cause an organisation a great deal of reputational and financial damage. In many cases they originate from human error rather than technological weakness, so it is essential that staff are trained in cyber security. Our data protection training provides the knowledge and skills to build resilience around information security and data management with the following key benefits:

  • Legal compliance for mandatory training
  • Improve critical knowledge across the organisation
  • Maintain credibility with your customers and within your industry
  • Protect the confidentiality, integrity and availability of data
  • Protect against the financial implications of a class action for data breach

Achieving credentials in data protection and information security such as ISO27001 and Cyber Essentials demonstrates a comprehensive understanding of the regulations in place and a compliance with these requirements.