DATA AUDIT
CLIENT: Pängels Virtual and Personal Assistants; Maldon, Essex
INTRODUCTION
The Client business offers PA Support, Administration, Social Media skills and Marketing either in person or in a virtual environment. This may be through working in our premises or the Client’s premises and systems.
This Data Audit Report for the Client business is based on information provided by the Client and research on the internet.
UK LEGISLATION
The UK data protection legislation, including UK GDPR is the extant legislation in place to date. It remained in place after the UK left the EU and includes all the same concepts as the EU version of the GDPR.
The Client is based in the UK and subject to the UK legislation.
Protection of data is already in place and therefore there is no issue. Data are all processed electronically or manually by the client - this makes the client business the “data controller”. However, some processing may be conducted on the systems of the Client – virtually or at their premises – this then makes Pängels the “data processor” under the auspices of the laws and the work is subject to the data protection policies and procedures of that Client.
“PRIVACY BY DESIGN”: This concept is about looking at an organisation internally as a “standalone” and how data are processed. Then making all policies/privacy notices etc unique to the business, but containing elements as required by ICO. Under the current system, this is “best practice” whereas under UK GDPR it becomes a legal requirement.
Part of this process is to assess compliance. This Data Audit is the means to make this assessment as well as to assess how data are processed and stored.
The company processes personal data/ special categories of data about:
- Staff - clients - Clients of clients
- Clients’ staff (e.g. payroll) - suppliers/clients suppliers
Data are held in manual and/or electronic format. All feasible security measures are in place where access is restricted, and a private cloud-based service is utilised - the server is UK based. Data may be held manually as well.
PRIVACY NOTICES: These are the new term for “Privacy Policy” or “data protection statement”. There should now be one “main” Privacy Notice drafted. There is a website for the client currently and this should be the main place for publication of the Privacy Notice. There are elements which the ICO expect to be included from their guidance. Then “Short” privacy notices should appear on anything produced by the business which collects personal information, including emails.
The Privacy Notice may be shared with any prospective Clients to demonstrate compliance with UK legislation.
DATA RETENTION: This is important and a main feature of UK data protection legislation. Data may be held about Pängels and/or their clients. You should record what data you hold, on who and how long you keep it for – this may be determined by law such as tax records. You should also include where the data are held – i.e. electronically (Cloud or local server) or paper or both.
SUBJECT ACCESS REQUEST: The ICO has been conducting data audits for quite a while now. They look for a procedure being in place to handle any Subject Access Requests.
ACCOUNTABILITY: this is new documentation under the UK GDPR and is not intended to contribute to the “Transparency “of the business’s compliance to the outside world. However, this document should be drafted and held within the business should the ICO ever request it. There is guidance from ICO on concepts they expect to be included. Again, it may be shared with prospective clients to demonstrate compliance.
Please contact info@pangels.co.uk to find out more information.