![\"\"](\"https:\/\/wilsonjames.co.uk\/wp-content\/uploads\/2021\/10\/mypic-1-1-300x300.jpg\")
<\/p>\nBarry Spriggs
\n<\/strong>Data Protection Officer at Wilson James<\/strong><\/h3>\n<\/div>\n<\/div>\n <\/p>\n
<\/p>\n
Where to start?<\/strong><\/p>\n\u00a0<\/strong><\/p>\nData Protection Policy<\/strong><\/p>\n <\/p>\n
Building a great culture and awareness around data protection starts with getting the basics right; in this case an initial data protection policy. This provides guidance to all in the enterprise about what is expected from staff, what assurances are given from the business around how personal data will be treated.<\/p>\n
\u00a0<\/strong><\/p>\nPublish and promote it<\/strong>. Don\u2019t forget to make your organisational colleagues aware of the policy by proper publication and signposting. Your policy should provide assurance, leaving no doubt that personal data will be treated with the utmost respect and confidentiality in line with the data protection principles.<\/p>\n <\/p>\n
Retention Policy<\/strong><\/p>\n <\/p>\n
So, you have made a start and the board has approved your data protection policy.\u00a0 What\u2019s next?\u00a0 You need to build a comprehensive data retention<\/strong> policy that allows all areas of the business to understand how long personal data items should be kept and crucially when they should be deleted. Moving forward this amounts to more than just the usual HR\/Finance items. Don\u2019t forget with the advent of O365 environment you can put in place great auto delete features on MS Teams chats and emails.\u00a0 As we all know, less emails around means less data breaches and less items to redact in the subject access request process. Ultimately good data control includes compliant deletion as much as retention.<\/p>\n <\/p>\n
Awareness raising and training<\/strong><\/p>\n <\/p>\n
Think of your staff.\u00a0 It is no good having great policies if you don\u2019t implement some simple awareness raising or training.\u00a0 Make the effort to ensure all<\/strong> employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date. The regulator, Information Commissioners Office (ICO), state \u2018All<\/strong>\u2019 should receive training.<\/a><\/p>\n <\/p>\n
The truth is that every colleague is a link in the data protection chain and should know their role in protecting your organisation from breaches or improper retention.<\/p>\n
<\/p>\n
Privacy by design and default<\/strong><\/p>\n <\/p>\n
You\u2019re doing great so far. But hang on, I.T in cahoots with HR have commissioned a new system that involves personal data and haven\u2019t told you. The worst thing is the go live date is next week!<\/p>\n
<\/p>\n
The truth is that these days all improvement programmes should ensure that IT and Procurement are on board from the planning stages, with the whole privacy by design theme. They need to involve data protection at the outset so that your DPO can ensure that this new system can indeed service all the rights of a data subject.\u00a0 It really isn\u2019t going to be good having to tell the ICO that you didn\u2019t know about it when there\u2019s a data breach. No one wants to be the one to tell the board that there\u2019s a fine or other action on the way, as carrying out a Data Protection Impact Assessment (DPIA)<\/a> is mandatory in some cases.<\/p>\n <\/p>\n
<\/p>\n
Rights of a Data Subject – that includes you!<\/strong><\/p>\n\u00a0<\/strong><\/p>\nA business must ensure that it can service all the rights of a data subject. The most common one of these is the right of access. As everyone becomes more aware of how valuable personal data is this right is becoming widely used and will only become more popular as we move along the data journey. People want to know what personal data a business holds on them. Ensure you have an efficient process in place where this can be facilitated. All the personal data you collect on staff or customers must be able to be accessed by them. This can be very time consuming and resource intensive if good procedures are not in place.<\/p>\n
<\/p>\n
Am I done? <\/strong><\/p>\n\u00a0<\/strong><\/p>\nNot quite. Don\u2019t forget your Privacy Notices, Record of Processing Activity (ROPA), Data Breach procedures, International Data Transfers and Cookie Policy to name but a few.<\/p>\n
<\/p>\n
<\/p>\n
What\u2019s coming up in 2022?<\/strong><\/p>\n\u00a0<\/strong><\/p>\nThe Covid-19 aftermath<\/strong><\/p>\n
\u00a0<\/strong><\/p>\n Data Protection Policy<\/strong><\/p>\n <\/p>\n Building a great culture and awareness around data protection starts with getting the basics right; in this case an initial data protection policy. This provides guidance to all in the enterprise about what is expected from staff, what assurances are given from the business around how personal data will be treated.<\/p>\n \u00a0<\/strong><\/p>\n Publish and promote it<\/strong>. Don\u2019t forget to make your organisational colleagues aware of the policy by proper publication and signposting. Your policy should provide assurance, leaving no doubt that personal data will be treated with the utmost respect and confidentiality in line with the data protection principles.<\/p>\n <\/p>\n Retention Policy<\/strong><\/p>\n <\/p>\n So, you have made a start and the board has approved your data protection policy.\u00a0 What\u2019s next?\u00a0 You need to build a comprehensive data retention<\/strong> policy that allows all areas of the business to understand how long personal data items should be kept and crucially when they should be deleted. Moving forward this amounts to more than just the usual HR\/Finance items. Don\u2019t forget with the advent of O365 environment you can put in place great auto delete features on MS Teams chats and emails.\u00a0 As we all know, less emails around means less data breaches and less items to redact in the subject access request process. Ultimately good data control includes compliant deletion as much as retention.<\/p>\n <\/p>\n Awareness raising and training<\/strong><\/p>\n <\/p>\n Think of your staff.\u00a0 It is no good having great policies if you don\u2019t implement some simple awareness raising or training.\u00a0 Make the effort to ensure all<\/strong> employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date. The regulator, Information Commissioners Office (ICO), state \u2018All<\/strong>\u2019 should receive training.<\/a><\/p>\n <\/p>\n The truth is that every colleague is a link in the data protection chain and should know their role in protecting your organisation from breaches or improper retention.<\/p>\n <\/p>\n Privacy by design and default<\/strong><\/p>\n <\/p>\n You\u2019re doing great so far. But hang on, I.T in cahoots with HR have commissioned a new system that involves personal data and haven\u2019t told you. The worst thing is the go live date is next week!<\/p>\n <\/p>\n The truth is that these days all improvement programmes should ensure that IT and Procurement are on board from the planning stages, with the whole privacy by design theme. They need to involve data protection at the outset so that your DPO can ensure that this new system can indeed service all the rights of a data subject.\u00a0 It really isn\u2019t going to be good having to tell the ICO that you didn\u2019t know about it when there\u2019s a data breach. No one wants to be the one to tell the board that there\u2019s a fine or other action on the way, as carrying out a Data Protection Impact Assessment (DPIA)<\/a> is mandatory in some cases.<\/p>\n <\/p>\n <\/p>\n Rights of a Data Subject – that includes you!<\/strong><\/p>\n \u00a0<\/strong><\/p>\n A business must ensure that it can service all the rights of a data subject. The most common one of these is the right of access. As everyone becomes more aware of how valuable personal data is this right is becoming widely used and will only become more popular as we move along the data journey. People want to know what personal data a business holds on them. Ensure you have an efficient process in place where this can be facilitated. All the personal data you collect on staff or customers must be able to be accessed by them. This can be very time consuming and resource intensive if good procedures are not in place.<\/p>\n <\/p>\n Am I done? <\/strong><\/p>\n \u00a0<\/strong><\/p>\n Not quite. Don\u2019t forget your Privacy Notices, Record of Processing Activity (ROPA), Data Breach procedures, International Data Transfers and Cookie Policy to name but a few.<\/p>\n <\/p>\n <\/p>\n What\u2019s coming up in 2022?<\/strong><\/p>\n \u00a0<\/strong><\/p>\n The Covid-19 aftermath<\/strong><\/p>\n