13 February 2018 #Data Protection
The ICO have recently published further guidance on the upcoming GDPR and the records organisations (both data controllers and processors) need to keep of their processing activities, and lawful basis for such processing.
The GDPR places a great emphasis on accountability and organisations being able to proactively demonstrate their compliance with the GDPR. The ICO guidance makes it clear that while some organisations with less than 250 staff may not need to keep as comprehensive a record as larger organisations, given that employers will be frequently processing personal data in the day to day running of the organisation, the accountability provisions will still apply. Examples of what needs to be documented are set out in the guide.
All organisations should be preparing themselves for the GDPR and the changes coming into force on 25 May. Existing records and privacy notices should be reviewed to ensure that they will still be compliant once the GDPR comes into force.
If you need any advice on preparing for the GDPR, or need a hand updating your privacy policies, please contact our data protection team.