The GDPR is now in force but that should not mark the end of your GDPR
story. Indeed, for some, it may in fact mark the beginning. But wait!
Shouldn’t you already be compliant? Strictly speaking, yes, of course you
should. In reality, however, when a legal change as significant as the GDPR
occurs, it takes time for best practice to become established.
What’s more, despite the potentially huge fines under the GDPR, this does
not mean that small businesses should expect dawn raids by sinister-looking
agents from the Information Commissioner’s Office. Indeed, the Information
Commissioner, Elizabeth Denham, has said that the ICO is not looking to go
after those showing a willingness to comply and that any action taken
against those who are non-compliant will be fair and proportionate. A small
business that hasn’t got it quite right, therefore, should not expect a
€20m fine or anything remotely like it!
Your GDPR Journey
Here at Simply-Docs we offer a range of data protection-related documents
to help you with GDPR compliance, beginning by assessing how you’re doing
so far with a Data Protection Audit, then following that up with policies,
impact assessments for new projects, privacy information for your
customers, and handling their requests to see the personal data that you
hold about them.
is a good place to start. Regardless of how you have handled data
protection in the past, the GDPR presents an ideal opportunity for a
refresh. Even if you think you’re already compliant, the audit may
highlight areas for improvement or – in the best case – provide additional
reassurance that you are indeed as good as you thought!
GDPR Audit template
) is structured around the core principles of the GDPR and the rights of
individuals (aka “data subjects”) and has been designed to assess and
evaluate data protection across a number of key areas of your business.
Privacy by Design – The Data Protection Impact Assessment
Also known as a “
Privacy Impact Assessment
” (neater name, isn’t it?), this is a useful tool when planning projects
that will involve the use of personal data and a valuable asset when it
comes to GDPR compliance.
There are, essentially, two “lists” of circumstances in which you must
carry out a Data Protection Impact Assessment – one set out in the GDPR,
the other by the ICO. The former quite likely won’t apply to small
businesses, but some of the latter might. You can find out more in the
information accompanying our Data Protection Impact Assessment template,
The main point of a Data Protection Impact Assessment, however, is to
ensure that privacy risks are identified and mitigated at the early stages
of any project involving personal data. Mandatory or not, then, it can
still be a useful thing to do when you are planning on using any personal
data in a new way.
Data Protection Policies, Website Privacy Policies, and Privacy Notices:
What’s the Difference?
Some businesses will only need one of these, others will need two or even
three. These terms are often used interchangeably, but each document is
quite different. So, what’s what?
Data Protection Policy
This is your go-to internal policy. A
Data Protection Policy
sets out the rights of individuals and the obligations of your business
along with details of the various measures to be taken within your business
to uphold those rights and comply with your obligations.
Should you show your customers? That’s up to you. There is certainly no
harm in making your data protection policy available as it can add an extra
layer of reassurance. On the other hand, it also contains a lot of extra
detail that most individuals probably don’t want to know. That is the job
The GDPR requires that individuals are given certain information about your
collection and use of their personal data.
Covering various degrees of data collection and usage, our
provide certain key information to users of your website about the data
that you collect, how you use it, how it is stored, whether it is shared,
But not all businesses operate online, so how do you convey this
information to your offline customers? That’s next.
GDPR Privacy Notice
in point of sale situations on your premises, for example, or when agreeing
a contract for services in person. If you have what we would call a
“brochure website” (one which collects no data and has no e-commerce) you
could also display a privacy notice on there.
You’ve worked out what you do with personal data, you’ve got a policy
setting out the rules that you must follow, and you’ve told individuals
about it. But how long do you hold onto personal data?
Under the GDPR you should not keep personal data for any longer than
necessary. Get a hold of much more than a few names and addresses, though,
and it becomes very difficult to keep track. A
Data Retention Policy
Data Retention Policy
helps to organise everything, categorising the various types of personal
data that your business collects and setting out time limits applicable to
the retention of each category. In some cases, it might not be possible or
practical to set a fixed time limit. In those cases, specify the criteria
that you will use to determine when it’s time to get rid of the data in
Under the GDPR there are Controllers and there are Processors. The data
controller is the one who determines what personal data will be used for
and how it will be used (or “processed”). In most cases, if you are
collecting data from your customers to use for your business, you will be a
data controller. In short, if you call the shots, you’re the controller. A
data processor is someone who processes personal data on behalf of a data
controller, i.e. on their instructions. Both data controllers and data
processors are subject to obligations laid out in the GDPR.
If a data controller wishes to use the services of a data processor, there
must be a written contract in place which includes certain elements
required by the GDPR. What’s more, if the data processor is located outside
of the European Economic Area, additional safeguards must be in place to
ensure that personal data is fully protected.
Where a data processor is processing personal data on behalf of a
controller, two main approaches can be taken. A separate
Data Processing Agreement
can be used or, perhaps better suited to simpler scenarios, a set of
Data Processing Clauses
can be included in another contract – a service agreement, for example. We
offer templates for both!
Subject Access Requests
This is one of the key rights bestowed upon individuals by the GDPR.
Individuals have the right to ask you about the personal data you hold
about them, what you do with it, and so on. You must respond to these
requests quickly and (usually) for free.
To make things easier for you and for those individuals whose data you
gather, we have prepared a range of templates for dealing with
Subject Access Requests
including a standard form for making a request in the first place, and a
series of letters used for various stages (and scenarios) in your response.
Find out more here.
Getting Your Contracts in Order
In addition to our range of data protection-specific content, we have also
been busy updating a large number of our other
business document templates
for improved GDPR compatibility. In some cases, these are simple data
protection clauses that simply refer to your standalone privacy notice or
policy. In other cases, where there is the potential for data processing to
be carried out, options have been included enabling you either to refer to
a separate data processing agreement, or to use data processing clauses
built in to the document itself.
With such a big portfolio, there are a few that we’ve not gotten to yet. In
those cases, or if we’ve decided that personal data isn’t particularly
relevant to a certain document, but you want to use it in a situation that
involves personal data, our
GDPR Data Protection & Processing Clauses
are available to help you with your own alterations to our templates.
There’s More to Come!
As we said at the start of this newsletter, just because the GDPR date has
been and gone, that doesn’t mark the end of the story. We still have more GDPR
templates planned, not least a dedicated policy for handling personal data
breaches. We will also be reviewing many more of our non-data-protection
documents and making further enhancements for GDPR compatibility.
We also want to hear from you. We’re full of good ideas here at
Simply-Docs, but we don’t always think of everything! If there’s something
you want or need with respect to data protection that we don’t have – let
us know! We always welcome customer input and ideas for new documents.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific