When should I write to the people who hold or process my data?
Organisations are obliged to check that where other people hold data for them (eg backups) or process it for them (eg payroll) the other person (data-processor) keeps it private, safe and secure.
This guidance is useful
See Page 19 “This is because Article 28.1 says that you must only use a processor that can provide sufficient guarantees in terms of its resources and expertise, to implement technical and organisational measures to comply with the GDPR and protect the rights of data subjects.”
Many organisations have a “standard sheet” that explains that they have all the latest technology and certifications and company with GDPR . If they don’t you might write a letter something like this…
At xxxxxxxx we are getting ready for General Data Protection Regulation (GDPR).
We have recently been mapping the step-by-step processes as people arrive, stay and eventually leave and looking at what data is held by whom, why and how it is used. Understanding this helps set-up the right roles, goals and controls to ensure that personal data is private, safe and secure.
We use your xxxxxxxxxxx system for processing xxxxxxxxxxxxxx
Can you summarise your policy, procedures and measures as regards Data Protection and Information Security? Do you have Cyber Essentials or Cyber Essentials-Plus? Or perhaps ISO 27001?
Does your contract cover Data Protection, and the data-processor arrangements as regards privacy, security and processes in relation to subject-access-requests or breach notifications?
I am keen to have something that I can refer to for GDPR Compliance.
NEED SUPPORT WITH GDPR?
Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate resources and suppliers, and there may be grant funding available.
Jersey Charities Q&A
Jersey Data Protection Association list of GDPR events
Data Protection Reform in the Channel Islands
+447797762051 Skype: timhjrogers TimHJRogers@gmail.com