The privacy notice is a document for people whose data you will control and/or process. This may include employees, customers, students, prospects and service users. The notice informs and empowers these stakeholders by setting out what data will be used, how it is obtained, how it is used and their rights to this data. The privacy notice should be actively communicated to the affected people – especially when you are relying on the consent of the data subjects to lawfully hold and process their data.
Data subjects’ Rights
Everyone whose personal information is held (‘data subjects’ have explicit rights under GDPR:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object to data processing
As an organisation you must ‘implement appropriate technical and organisational measures’ to protect data and demonstrate compliance. The level of security required is proportionate to the sensitivity of the data , ie. how much the unauthorised destruction, disclosure or processing of that data would harm an individual’s interests. You should carry out a data protection impact assessment so that you understand and mitigate the risks involved in processing personal data.
GDPR does NOT require that you encrypt all personal data; the corollary of this is that encryption alone may not be sufficient to comply with the regulations. Consult your data protection officer or IT service provider for advice on when encryption should be used and what further measures are needed. Encrypting data in transit, such as email attachments, backup drives and USB keys is sensible and proportionate – but it’s useless if your operating system and anti-virus aren’t up-to-date, for example.
How Blue Compute can help
Here at Blue Compute we’ve a wealth of experience in data management and technical regulatory compliance. Specific services we can provide to ease the GDPR process include:
- Conduct a data audit of your business to identify all sources of personal data
- Produce a bespoke privacy notice and data policy specific to your organisation
- Implement data encryption where required (and advise on where this is required)
- Provide complete network management to ensure system integrity and identify / prevent data breaches
- All aspects of consultancy and advice aimed at making GDPR compliance an easy and straightforward process for your business