Data controllers old

Once you have completed your information audit, you should document your findings, for example in an information asset register. Doing this will also help you to comply with the GDPR’s accountability principle, which requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.

If you have less than 250 employees then you must keep records of any processing activities that:

* are not occasional;

* could result in a risk to the rights and freedoms of individuals; or

* involve the processing of special categories of data or criminal conviction and offence data.

If you have over 250 employees, you must record the following information:

* name and details of your business (and where applicable, of other controllers, your representative and data protection officer);

* purposes of the processing;

* description of the categories of individuals and categories of personal data;

* categories of recipients of personal data;

* where applicable, details of transfers to third countries including documentation of the transfer mechanism safeguards in place;

* retention schedules; and

* a general description of technical and organisational security measures.

You may be required to make these records available to the ICO on request.

You need to identify lawful bases before you can process personal data and special categories of data.

Your lawful bases for processing have an effect on individual’s rights. For example, if you rely on someone’s consent to process their data, they will have a stronger right to have their data deleted. It is important that you let individuals know how you intend to process their personal data and what your lawful bases are for doing so, for example in your privacy notice(s).

See the table at the link below for further information on this.

Guide to the GDPR - Lawful bases for processing

The GDPR sets a high standard for consent but remember you don’t always need consent. You should also assess whether another lawful bases is more appropriate.

Consent means offering people genuine choice and control over how you use their data. You can build trust and enhance your business by using consent properly.

The GDPR builds on the DPA standard of consent in several areas and contains much more detail:

* Keep your consent requests separate from other terms and conditions.

* Consent requires a positive opt-in. Use unticked opt-in boxes or similar active opt-in methods.

* Avoid making consent a precondition of service.

* Be specific and granular. Allow individuals to consent separately to different types of processing wherever appropriate.

* Name your business and any specific third party organisations who will rely on this consent.

* Keep records of what an individual has consented to, including what you told them, and when and how they consented.

* Tell individuals they can withdraw consent at any time and how to do this.