Additionally where that data is held or shared with a
third-party there needs to be some form of data-controller/data-processor
agreement detailing the roles, goals and controls for the management of that
data.
GDPR Checklist for Third Party Agreements
https://gdprjerseyarticles.blogspot.com/2018/02/gdpr-checklist-for-third-party.html
In many cases that third-party may be a government
department. So it makes sense for the government department to detail is
policy, procedures, templates etc., so as to be clear and consistent with all
its dealings rather than create a bespoke solution and documentation for every
organisation with whom it shares data.
Having a standard approach and template agreements will help
reduce cost, raise awareness and ensure best practice. Surely this is better
than every business having a slightly different approach with sharing data with
that government department?
In the meantime I have been writing letters long the
following line to support by clients becoming GDPR compliant and evidencing the
roles, goals and controls for the management of data held for, or shared with
government.
Dear
XXXXXX
FOI General Data Protection Regulation (GDPR).
Many organisations hold personal-data [as defined by GDPR]
for the States or shared with the States (for example ID, Tax and SocSec
Information, and in some cases special-category data like medical information)
What are the requirements of the States in relation to that
data? Do you have guidance and model data-controller/data-processor agreements
as required by GDPR that can be shared to encourage a standardised approach
based on best-practice?
For Example
·
What personal-data should be held for the States
or shared with the States (Examples DBS Checks? ID Records? Staff Records?)
·
What should the retention period be for
personal-data for the States or shared with the States (Example: 1 year, 3
years, 10 years?)
·
What information security measures should be
applied personal-data for the States or shared with the States (Example: Cyber
Essentials? ISO 207001?)
Perhaps this is be better submitted as a Freedom of
Information Request so that the reply can be used as a standard for all
organisations seeking to address the requirements of GDPR?
Yours sincerely
Thank you.Well it was nice post and very helpful information on Data Science online Training India
ReplyDeleteIts very informative blog and useful article thank you for sharing with us , keep posting learn
ReplyDeletemicrostrategy online training | microstrategy training online
Its very informative blog and useful article thank you for sharing with us , keep posting learn more
ReplyDeleteMulesoft Online training with 100% job Assistance and 24 X 7 Online Support. Visit us about mulesoft training | mulesoft online training
Contact Information:
USA: +1 7327039066
INDIA: +91 8885448788 , 9550102466
Email: info@onlineitguru.com