GDPR – Key Areas
What is ‘Processing’?
‘Processing’ refers to any handling or storage of personal data, and GDPR requires that you take steps to ensure you undertake all aspects of data management safely, sensibly and securely.
You must have and record a ‘lawful base’ for processing data – find further details here. Remember that different activities will have different lawful bases – e.g. sending a marketing email requires opt-in consent from the recipient, but sending an email with an invoice after a project is part of a contract and does not require separate consent.
As a controller or processor, it is your responsibility to demonstrate accountability and governance, maintain secure systems, and give people appropriate access to the data you hold on them.
Read more about lawful bases for processing on the ICO website.
How EJC helps
We are a processor when working on behalf of our clients, who are controllers. We make technical, informed decisions about service providers who provide hosting, file management, email and security systems. Each supplier we use is also a processor.
Data storage – we manage both in-house servers and cloud-based storage, ensuring only users with correct permissions can access data.
GDPR requires that you protect against…
Unauthorised or unlawful processing – we make sure that your systems are safe and secure from external attacks, and advise you on best-practice for security and password management.
Accidental loss, destruction or damage – our backup systems mean we can completely or partially restore data which is lost, whether it’s through accidental deletion, software or hardware failure.
Accountability & Governance
What changes under GDPR?
GDPR elevates the significance of accountability and governance and complements its transparency requirements. You are expected to put ‘comprehensive but proportionate’ measures in place to achieve this, which minimise the risk of data breaches, and ensure protection of personal data.
These include the following measures, which we have explained further below:
- Data protection impact assessments
- Data protection officers
Read more about accountability and governance on the ICO website.
How EJC helps
Safety and security are baked into the EJC approach, from the software, hardware and suppliers we choose, to the advice we give and the systems we set-up.
We can help you to review your technical processes and security, and implement the appropriate measures to ensure you comply.
This might range from password management systems that avoid staff using common passwords like Password1234!, to helping you review security policies or train your staff to avoid ‘phishing’ and other potentially dangerous scams.
Whenever a controller uses a processor, a written contact must be in place, to ensure both parties understand their responsibilities and liabilities. Outsourcing data management to a third-party processor does not absolve you of responsibility as a data controller.
Processors should only act on written instructions of controllers, and take appropriate measures to ensure security and GDPR compliance. Importantly, processors can only engage sub-processors with the consent of a controller, and only with a written contract.
Read more about contracts on the ICO website.
How EJC helps
We are a processor and also engage sub-processors. For example, we might use Microsoft Office 365 to provide an email service directly to our clients. In that situation, because we set-up and manage the account, the client is the controller, we are the processor and Microsoft is the sub-processor.
All of our client contracts ensure compliance with GDPR, and we have a ticket system in place to ensure all requests and communication are documented in writing. We have also completed due diligence on each of our suppliers to ensure they are fully GDPR-compliant.
Companies – controllers and processors – with under 250 employees must document data processing activities that:-
- are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
- are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
- involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).
(Companies with over 250 employees must document all processing activity)
Read more about documentation on the ICO website.
How EJC helps
As a processor, and as part of our duties engaging sub-processors, we perform all the relevant documentation duties required of us.
You can view our GDPR Statement here which sets out our responsiblities to our clients.
We can also help you to identify areas you need to document, some of which you might not be aware of, and ensure that you have all the relevant information and technical details.
Data protection impact assessments
DPIAs, also known as Privacy Impact Assessments (PIAs) help to identify and manage problems at an early stage, and help meet an individual’s expectation of privacy.
You must carry out a DPIA whenever you use new technology or systems, and if data processing is likely to result in a high risk to an individual’s rights or freedoms.
Read more about DPIAs on the ICO website.
How EJC helps
Whenever we recommend a new technology or supplier, we help you assess whether a DPIA is required, and if one is needed, can work with to complete it.
Data protection officers
Not every company has to appoint a data protection officer – but you must still ensure your organisation has sufficient staff, skills and understanding to comply with GDPR.
To check whether you need to appoint an officer, you should read more about data protection officers on the ICO website.
How EJC helps
We are not required to appoint a data protection officer, but have made sure we have a full understanding of GDPR at management level, and that our staff are aware of their rights and responsibilities with regard to all data we process, manage or have access to.
More on GDPR
Need more help?
GDPR can seem pretty daunting. If you'd prefer to just talk through it, click below or call us on 0370 600 9700.
We can arrange an appointment to give you more information and discuss where we can help.
The Information Commissioner's Office (ICO) provides both comprehensive and straightforward advice and information on GDPR. Here are four useful links to make sure you fully understand your responsibilities:
The ICO's quick twelve-step overview to GDPR
Full and comprehensive guidelines from the ICO
Step-by-step checklists to make sure you've covered everything
A series of GDPR 'mythbusting' blog posts from the ICO