#10 Data Privacy Best Practices: Training & Record Keeping
#10 Data Privacy Best Practice: Evaluate your internal policies including training and record keeping.
My recent posts in this series have discussed best privacy practices for the hypothetical software company BizConnect. These practices have included: a) drafting a GDPR compliant privacy policy; b) self-certifying under the Privacy Shield for transfers of EU personal data; c) adopting GDPR model clauses for transfers of EU personal data; d) deciding whether to conduct a DPIA and/or adopt a Code of Conduct; (e) discuss why BizConnect should draft an internal written data security plan, obtain SSAE-18 audit reports, and adopt a Business Continuity Plan; (f) consider whether it is necessary to appoint a DPO and compliance with Article 27 (data representative appointment; and (g) consider DPO contractual issues regarding controller indemnification and subprocessor changes.
This post focuses on record keeping and training requirements under GDPR.
BizConnect, a small SaaS company, offers enterprise customers a platform to strategically set and execute their company goals. The enterprise customers’ employees’ personal data is uploaded to the platform to participate in their employer’s SaaS subscription.
This article focuses on Article 30’s record keeping requirement as well as training requirements related to data subject requests, incident response and other general GDPR related provisions.
Recordkeeping
Article 30 of the GDPR prescribes specific formal record keeping requirements, which cover both data controllers and data processors, and include the following: a) name and contact details of the controller (or processor); b) descriptions of the purpose of the processing, c) the categories of data subjects and categories of personal data, d) categories of recipients of the data; e) information regarding transfer of that data outside the country where it was collected, f) time limits on retention of such data, and g) description of the technical and organizational security measures implemented.
The U.K.’s Data Protection Authority, ICO, offers further guidance on record keeping requirements under Article 30.
There is an exemption that at first glance appears to provide BizConnect with some breathing room. Article 30 states “the obligations referred to [herein] shall not apply to an enterprise or an organization employing less than 250 employees.”
That would seem to be good news for BizConnect as it has far less than 250 employees. However, there is a catch as the provision goes on to say that certain types of processing will fall under this provision regardless of their employee count. The two types of processing that would not be able to qualify for the exemption are 1) processing likely to result in a risk to the rights and freedoms of data subjects and 2) processing involving special categories of data.
BizConnect can comfortably say its processing does not fall under 1 or 2 above. However, there is one more catch. The exemption does not apply if the “processing is not occasional.”
Unfortunately, there is no specific guidance for what occasion means. As discussed in Data Privacy Best Practice #7 many experts interpret the meaning of “occasional processing” very narrowly meaning that few companies would be able to successfully argue their processing is occasional.
Recommendation: The cautious approach for BizConnect would be to work toward compliance with Article 30’s record keeping requirements.
Training
Adequate training is important especially for any employees and contractors who access GDPR personal data. It is insufficient to have a written security plan in place but never train the people who will be responsible for its effective operation.
These areas of training are addressed below: a) data breach notification; b) data subject requests; and c) assisting data controllers with audits and DPIAs.
Data Breach Notification
Data controllers are required to notify data subjects and Data Protection Authorities within 72 hours of notice of a security breach. Data processors have a little more leeway as the requirement is that they will notify the Data Controller “without undue delay” once they know of a data breach. Training needs to ensure that the company has a protocol for responding to data breaches and it is compliance with the above standards.
For example, if BizConnect’s subprocessor contacted someone in IT that they had a security incident and were investigating, what would that IT person do? Who should they communicate with, and by which means? That’s the internal escalation plan. There should be a lead person already identified such as the CIO if a company has that position. It could be a CFO or the CEO for a small company.
That person, let’s assume it’s the CFO, should contact legal counsel immediately. Besides GDPR responsibility there are data breach notification laws in nearly every US state that must be considered. Working with legal counsel, the CFO would create the plan for external communication while monitoring the internal actions aimed at isolating, minimizing, and remediating any damage from the data breach.
The data controller has to do an analysis to determine whether the data breach meets the GDPR threshold of “likely to result in a high risk to the rights and freedoms of natural persons.” If yes, then the data controller needs to notify the data subjects directly as well as communicate with the applicable Data Protection Authorities.
BizConnect has a very limited amount of personal data that it acts as a data controller, namely the contact information for its enterprise customers. For example, if John Doe, the CFO of XYZ provides his email contact information while subscribing to the BizConnect platform, then BizConnect would be the data controller for John Doe’s personal data. This is a much smaller amount of data then the enterprise customers’ employees personal data that is processed on the BizConnect SaaS platform.
Data Subject Requests
If a Data Subject contacts BizConnect what should they do? As a data processor, BizConnect should notify the data controller (its enterprise customer) and work with them. Their data processing addendum should state this as well.
Assisting controller with audits and DPIAs
Finally, GDPR requires data processors to cooperate with data controllers on its obligations regarding DPIAs and audits. BizConnect should have designated the appropriate personnel to work with data controllers who may make these requests.