Under GDPR organisations must be able to prove that they are compliant with the regulation. This is known as ‘accountability’.
You will need to put in to place appropriate [this means suited to your organisation-one size does not fit all] policies, procedures as well as train staff to demonstrate that they understand them. Every organisation should have a data protection and an information security policy at least.
Other documents/ policies/ procedures to consider [the list is not exhaustive] putting in to place might be:
- Fair processing (privacy) notices to give to employees/ customers;
- Procedures for dealing with requests by people to exercise rights e.g. subject access;
- A data sharing agreement;
- A tele- working (outside of the office) policy;
- A document classification scheme;
- An encryption policy;
- Password policy;
- Incident management procedures;
- Contracts with data processors
For further information please contact us.