As discussed in the previous blog on security assessments, the GDPR requires the controller and the processor to implement appropriate technical and organizational measures. Examples of organizational measures are policies and procedures, and two of the recommended security policies are: (1) a Data Protection Policy, and (2) a Data Retention and Erasure Policy.
The Data Protection Policy sets forth the organization’s practices by which personal data should be protected and identifies the roles and responsibilities of the organization’s users of the personal data. In order for the organization to protect and safeguard personal data, procedures should be in place to provide clear guidance regarding the security of personal data, to protect against personal data breaches, and to provide clear guidance regarding the proper disposition of personal data. Common provisions in such a policy include:
- Appropriate assessments should be conducted to identify reasonably foreseeable internal and external risks to the security of personal data that could result in a personal data breach, and the sufficiency of technical and organizational security measures in place to control these risks should be assessed.
- Data users should have access only to specific personal data if access to that personal data is needed to fulfill their job responsibilities.
- Before data users are allowed access to personal data, they should be trained in the use and attributes of the personal data applicable to their responsibilities and in the procedures applicable to their role and function.
- Data users are responsible for keeping personal data accurate and up to date.
- Personal data should be used only for the organization’s business purposes and should not be used for personal purposes.
- A testing program that includes an assessment of the effectiveness of the procedures regarding the management of personal data should be conducted.
The Data Retention and Erasure Policy sets forth the manner in which the organization retains its personal data in accordance with the requirements of all applicable laws and disposes of personal data when they are no longer needed. Personal data retained for longer than is necessary, i.e., essential for the purpose pursued by the business, carries additional risk and cost. Common provisions in such a policy include:
- Personal data only should be retained for legitimate business uses and should not be retained for longer than is necessary for their lawful purpose.
- Where practicable, personal data generally should be organized and stored according to general categories in a manner that best facilitates the efficient administration of business operations.
- Confidential personal data should be labeled and/or stored in a manner to limit access to those organization employees or other individuals with authorization to view such personal data.
- A default standard retention period should be determined, but certain types of personal data (e.g., special categories of personal data) should be retained for shorter periods of time.
- A retention schedule should be established and maintained.
- If personal data are no longer required, they should be destroyed, erased or otherwise made unreadable prior to disposition.
- Any disposition of personal data must be suspended in the event of an audit, litigation, or investigation related to the personal data.
This blog is the 30th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation. Each of the bite size pieces is part of one of the eight topics in GDPRsimple.
Next blog: When is a data protection impact assessment required and how is it conducted?