Organisations are obliged to check that where other people
hold data for them (eg backups) or process it for them (eg payroll) the other person (data-processor) keeps it
private, safe and secure.
This guidance is useful
See Page 19 “This is because Article 28.1 says that you must
only use a processor that can provide sufficient guarantees in terms of its
resources and expertise, to implement technical and organisational measures to
comply with the GDPR and protect the rights of data subjects.”
Many organisations have a “standard sheet” that explains
that they have all the latest technology and certifications and company with
GDPR . If they don’t you might write a letter something like this…
Dear xxxxxx
At xxxxxxxx we are
getting ready for General Data Protection Regulation (GDPR).
We have recently been mapping the step-by-step processes as
people arrive, stay and eventually leave and looking at what data is held by
whom, why and how it is used. Understanding this helps set-up the right roles,
goals and controls to ensure that personal data is private, safe and secure.
We use your xxxxxxxxxxx system for processing xxxxxxxxxxxxxx
Can you summarise your policy, procedures and measures as
regards Data Protection and Information Security? Do you have Cyber Essentials
or Cyber Essentials-Plus? Or perhaps ISO 27001?
Does your contract cover Data Protection, and the data-processor
arrangements as regards privacy, security and processes in relation to
subject-access-requests or breach notifications?
I am keen to have something that I can refer to for GDPR
Compliance.
Yours Sincerely
xxxx
NEED SUPPORT WITH GDPR?
Jersey Community Partnership and Association of Jersey
Charities are looking to co-ordinate resources and suppliers, and there may be
grant funding available.
Jersey Charities Q&A
Jersey Data Protection Association list of GDPR events
Data Protection Reform in the Channel Islands
CONTACT
TimHJRogers@AdaptConsultingCompany.Com
+447797762051 Skype: timhjrogers TimHJRogers@gmail.com
No comments:
Post a Comment