Data Processing

  • Supporting GDPR Gap Analysis and Audits

     

    Compliance tools for GDPR gap analysis and audits

     There are various tools out there which cover essential elements on a data project, such as data discovery, data mapping and data lineage. Meanwhile, gap analyses tend to be performed by traditional auditing methods, such as reviewing the organisational and process documents and liaising with those departments involved in data processing. 

    Below is a non-exhaustive list of support tools:

  • DATA CONTROLLER

    Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

    If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

    The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

  • Data protection risk assessment

    A Data Protection Impact Assessment (DPIA) is a procedure which assists you in detecting and minimising data protection risks of a project. You should always complete a DPIA when undertaking tasks of a high risk, usually new tasks or projects.

    In order to conduct an assessment, you can utilize certain applications in order to produce an efficient DPIA.

  • Data processor

    The minimum information needed for a processor to comply with its legal responsibilities, and for the controller to comply with Article 28, is to specify whether the data includes special categories of personal data, this raises the risk profile of the data set.

    For Personal Data that does not fall into one of either:

  • GDPR terms and conditions

    The Key terms and definitions you need to know: 

    Binding corporate rules: personal Data Protection policies adhered to by controller or processor in the Member State for transfer of personal data to controller or processor in third country

    Originally devised by Article 29 Working Party to transfer secure large data internationally while reducing bureaucracy

    GDPR establishes conditions for Member State to establish own binding corporate rules to streamline international transfers.

  • HR and GDPR The General Data Protection Regulation (GDPR) was enforced on the 25th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

     Employers should maintain focus on the following factors:

  • Record keeping - right to be forgotten

    GDPR gives individuals the right to have their personal data deleted, although this is not an 'absolute' right. If you still need to retain the personal data concerned, you may be able to refuse the request. Moreover, the right to erasure does not mean you erase all the data if you have a need and legitimate interest basis to process their data for audit records. If you cannot erase data (for example, there is a legal requirement to keep certain records for 6 years) then consider restricting the processing, such as moving to archiving.

    The data minimisation principles should also be applied, together with an appropriate retention period. Ensure that you inform the data subject as to what data you are keeping.

  • Subject Access Request outside of the EU

    On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

    So, the question is whether data processors need to address the Subject Access Request without the controller or not?

  •  

    Data processor

    A cloud service provider of apps and storage for businesses is a data processor. However, that does not mean it is not exempt from appointing a Data Protection Officer (DPO) if the data processed presents potential risks to the rights and freedoms of others, or large scale systematic processing.

Make a free enquiry, call now

0151 659 1070




Please let us know your name.



Please enter a valid telephone number



Please let us know your email address.



Please let us know your message.

Please tick the box below

Invalid Input

Invalid Input
I understand that by submitting my query to you, my personal data (name, email address and contact number) will be processed by you in order to contact me and assist me with my query. I confirm I have read and understood the Privacy Notice and I consent to you processing my data for the purpose of contacting me to assist me with my query.




How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070