Information about GDPR
Internal procedures and instructions for employees
According to the principle of accountability, the company must be able to prove that it complies with the GDPR in practice. One way to do this is by documenting internal procedures and processes in writing. It is also an excellent way to inform the employees about how to handle personal data in practice. In this way, the company can more easily ensure that employees process personal data correctly, according to the written procedures. There are therefore several advantages to having written procedures in place.
Complement internal routines with checklists
A complement to these routines is to establish even smart checklists that employees can use in different situations. Checklists can refer, for example, to important action points and steps to implement in specific situations. For example, a checklist to use when collecting consent. Or a checklist to use in the event of a personal data breach.
Examples of internal procedures and written instructions to employees
Below we compile a few examples of internal procedures and instructions to employees that companies can implement and draw up in writing. Please note that there are many more internal procedures than the ones we mention here, depending on the company’s business and needs.
Internal authorisation management procedures
It is important to control employees’ permissions and access rights to systems that process personal data. The purpose is to ensure that only those employees who need access to the personal data have access to it.
Benefits of implementing authorization management
A complement to these routines is to establish even smart checklists that employees can use in different situations. Checklists can refer, for example, to important action points and steps to implement in specific situations. For example, a checklist to use when collecting consent. Or a checklist to use in the event of a personal data breach.
Internal procedures for handling data subjects' requests for exercising their rights under the GDPR
According to GDPR, data subjects have several different rights regarding their personal data. Among other things, the right of access to processed personal data, the right to rectification of personal data and the right to erasure of personal data.
When a data subject submits a request regarding his or her rights under the GDPR to the company, the company must be able to comply with them. The processing of such a request shall take place within one month. In certain exceptional cases, the time limit may be extended by a further two months, in which case the data subject must be informed within the first month.
The response must comply with the content requirements
Written internal procedures can make it easier for employees to handle data subjects' requests for their rights correctly, in accordance with the rules of the GDPR. The GDPR contains clear provisions on what the response to the data subject must contain. It is a violation of the GDPR to not handle the data subject's request correctly and therefore it is important to inform the data subjects how to do this properly.
Create response templates that employees can use
By implementing clear written procedures, employees can more easily respond to the data subject's request and handle it correctly in accordance with the GDPR. For example, the company may also include in its internal procedures response templates that employees can use. This ensures more consistent communication on the part of the company, and guides the employee in practice. Of course, the employee needs to adjust and adapt response templates to each individual case, but it is much easier than formulating a correct response from scratch.
Internal procedures for handling personal data breaches under GDPR
It is very important that the company handles personal data breaches in a fast and efficient manner. In addition, certain personal data breaches must be notified to the supervisory authority within 72 hours of their detection. And in some cases, the company also needs to inform the data subjects concerned. It is therefore extremely important that the company has prepared internal procedures for dealing with such situations. Time is very valuable in these situations, and written procedures can really facilitate all the processes that need to be carried out in the event of a personal data breach.
Checklist for easy overview of important steps to implement
An internal routine for handling personal data breaches can usefully be complemented by a checklist. This makes it easier for employees to quickly get an overview of the most critical steps that need to be taken in order for the company to act correctly in accordance with GDPR. The information about the incident must flow internally within the company to relevant parties, such as the board, partners, etc. At the same time, the internal investigation of the incident must begin, and then people from the IT department or data processors may also need to be involved in the process.
Document each personal data breach in a logbook
The company should record all measures taken carefully and document the course of events in a logbook of the personal data breach in question. All documentation may be used if necessary in connection with a legal process or similar and therefore it is good to be careful in this documentation work. For example, the company should document when they became aware of the personal data breach (date and time), description of the course of events, record of actions taken after the discovery (time stamps and description), etc.
Instructions for internal information sharing
The internal procedures for handling personal data breaches should also contain clear information about which individuals within the company should be contacted in the case, to ensure that employees who discover the incident know who to turn to.
Internal procedures for collecting and registering consents under the GDPR
Companies that process personal data based on consent must be able to prove the consent obtained and its validity. Therefore, it is important that the company ensures that the obtained consents are documented in a structured and clear manner.
The GDPR defines valid data subject consent as a freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject consents to the processing of his or her personal data. Acceptance may be made either by a statement or by an unequivocal confirmatory act.
The GDPR thus contains strict rules and requirements that need to be met in order for consent to be considered valid. One way companies can try to ensure the collection of valid consents is to establish written internal procedures that employees should follow in such a process. In this way, the company can make it easier for employees to collect valid consents. The documented internal procedure for handling consents can also usefully be supplemented by a checklist that employees must follow. The purpose of the checklist should be to ensure that employees do not miss any critical step in the process.
When consent has been obtained, the company shall also document this in a logbook of consents. Among other things, with a note of when the consent was collected, the purpose of the processing of the personal data and what information the data subject received when collecting the consent.The documentation of the collected consent can later be used by the company to prove the consent and prove the lawfulness of the personal data processing.
More information about GDPR
XXX
XXX