GDPR - Documenting Personal Data Processing
(25 May 2018)
Today the GDPR becomes enforceable across the EU. The new UK Data Protection Act 2018 is also now in force, replacing the Data Protection Act 1998 and making provisions for how the UK government applies the GDPR. In the lead up to GDPR enforcement the Information Governance Unit has been presenting a series of communications that draw from guidance available on the Data Protection webpages. This week the focus is on upholding documenting our data processing activities and disposal of personal data. For more information about data protection and information governance, please visit the Information Governance webpages and for more information about each of the Individual Rights, please see this page.
GDPR – Documenting Personal Data Processing
The GDPR requires data controllers to document their data processing activities. We do this in a number of ways. Recently we have been collating Information Asset Registers that capture information about our personal data processing activities and are currently analysing those returns. There are other ways in which we need to document our activities, including:
- Data Protection Impact Assessments (DPIAs), which are used to identify the privacy risks associated with the processing of personal data and for implementing appropriate controls to manage those risks. These are key document in building ‘privacy by design’ into processing activities and should be used when planning a new data processing activity.
- Data management plans for research activities, which fulfil a similar role to DPIAs.
- Ensuring data processing agreements and contracts are in place with third parties that we use for data processing activities (data processors), as well as data sharing agreements with other data controllers or joint data controllers.
- Privacy Notices that inform data subjects about the personal data processing we are carrying out on their personal data.
GDPR - Disposal of Personal Data
Disposal of personal data is necessary when it is no longer required, or where no lawful basis can be determined for actually processing it. This includes processing activities carried out on our behalf by third parties.
- Refer to the University Records Retention Schedule for guidance on the length of time information assets should be retained. Older personal data must only be retained where there is a strong requirement, like a legal obligation.
- Regular weeding of personal data is recommended.
- Disposal may include transfer to the University Archives and Special Collections or destruction. Where destruction is required, small volumes of personal data can be shredded locally or for larger volumes the University Secure Shredding Procedure must be implemented.