Organisations must be in a position to explain to individuals exactly why their personal data is needed, the lawful reason for doing so and if necessary why it must continue to be processed and should, therefore, start, and continue, to review and analyse:
- The personal data being processed
- Ask what actually happens across the business – consult both senior management and front line staff about how personal data is obtained and used
- All documentation, fair processing information, website information, policies and procedures, staff awareness etc. that relate to compliance with the existing data protection legislation
- The current governance and security arrangements
- The retention of personal data (including archives)
- How the business manages the exercised rights of individuals, such as subject access requests, withdrawal of consent, opt outs from marketing
Resources are available below and in the document library to assist organisations in moving towards compliance with the law.
(Please note: although the Closer Look guides below refer to the 'GDPR', the articles and recitals cited are the same as those in the Isle of Man Applied GDPR. These will be updated in due course)
- The UK National Cyber Security Centre has published a cyber security guide for charities and one for small businesses, although these can be informative for any size organisation
- The European Commission "Data protection - Better rules for small business"
- The New Zealand Information Commissioner has published guidance on privacy impact assessments.
- Other resources are available including guidance and advice from law firms such as Bird & Bird, Hunton & Williams, Eversheds, 11KBW, Hogan Lovells, DLAPiper microsite, the IAPP and many others.
- The GDPR - Steps towards compliance
- GDPR Toolkit: Part 1: Know Your Data: Mapping the 5 W's
- Know Your Data - Mapping Pages
- GDPR Toolkit: Part 2: Accountability questionnaire for the Board
- 10 things you need to know and do
- New Data Protection Laws Summary
- A closer look at Definitions
- A closer look at Transparency
- A closer look at Principles
- A closer look at Data Protection Officer
- A closer look at Records of Processing
- A closer look at Rights and Remedies
- A closer look at Accountability