Areas of Practice
Compliance with the GDPR requires very specific GDPR-related documentation to be in place.
Here is a range of the essential documents:
Record of processing activities
As a company processing personal data, you must keep a record of processing activities. This record is a document that allows you to monitor and keep track of all the processing operations that you carry out. This recordis also essential in case of an inspection by the Data Protection Authority.
– The key word is “transparency” –
The GDPR provides for an obligation to inform data subjects about the data processing you carry out.
Transparency is the key word: what personal data do you process, what do you do with it, is it passed on to other entities, how long is it kept, etc. These are the questions you need to ask yourself.
Data subjects also have rights under the GDPR. It is therefore important to inform them of the existence of these rights and how they can exercise them.
Contracts with partners
It is necessary to control the contracts with your partners, which are mainly your processors(but not only). The RGPD imposes specific obligations between the data controller and the subcontractors, in particular a greater accountability of the latter. Subcontracts are therefore essential in practice because a lot of data passes through your subcontractors when they process it on your behalf.
When data is transferred to other partners so that they can reuse it for their own purposes, this transfer between two entities must also be regulated. In most cases, it will be appropriate to set up contracts for joint data controllers.
Existing contracts also need to be adapted by making changes, particularly in terms of confidentiality and physical or computer security of data. Each relationship must therefore be analysed and framed, and it is not always easy to understand the role of each party.
Internal data management policies
The purpose of these policies is to establish a global vision of the flow of data within the company and to define the tasks and responsibilities of everyone in terms of data management. This type of policy is also a tool for raising awareness within the company as it allows you to inform your employees internally.
There are several types of internal policies, including:
- Incident Management Policy: With this policy, you make your employees aware of data leaks and give them a pyramid procedure to react directly.
- Policy on the Management of Legal Practice: This is a guide to how the company responds, often via its DPO, to data subjects’ rights requests.