In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time. You may only have a limited understanding of data protection and privacy. Perhaps this is not your main job. Or perhaps you are relatively new to creating and maintaining data protection compliance programmes. It may be that you know the law, but you’ve never put it into practise before.
We appreciate that in these circumstances certain jobs may appear daunting. Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky. Hopefully, we can help and give you the confidence to get this right.
The big picture
You need to be transparent and accountable for the personal data that you process. The idea behind choosing a lawful basis is to make you think about what personal data you have, what you do with it and what rights you have to do it. If you don’t have a right, you can’t do it. And if you do have a right, you have to exercise it in the right way. Processing has to be fair and legal. Simples.
Start with an inventory
You start thinking about personal data by coming up with a list of the people whose personal data you process eg. staff, suppliers, regular customers, visitors to your website, people responding to advertisements etc. You write this down. You then get people throughout your organisation to come up with their own lists and write them down. At The Privacy Compliance Hub we call these people ‘Privacy Champions’.
Your Privacy Champions discuss the lists and come up with an agreed list. You then add to this list the types of personal data each category of person is trusting you with. You write this down and agree it.
You use this list to start mapping your data flows. These maps show in a visual format the way personal data is collected, stored, used and shared by your organisation. You then need to use these data flows to create an inventory, which is sometimes called an ‘Article 30 Record’. This records what your organisation is doing with personal data and demonstrates that you are thinking logically and holistically about your processing of personal data.
You are now ready to decide whether you have a lawful basis, but first you need to decide whether you really need one.