Control measure: Comprehensive data mapping exercises are carried out, providing a clear understanding of what information is held and where.
Risk: Without management understanding of what personal information is processed, by who, where and who it is shared with, there is a risk of a data breach happening that is uncontrolled or unseen. Information may be lost, misplaced or processed unlawfully. This may breach articles 5(1)(f), 5(2), and 32 of the UK GDPR.
Ways to meet our expectations:
-
Carry out information audits (or data mapping exercises) to find out what personal information is held and to understand how the information flows through your organisation.
-
Keep the data map up to date and clearly assign the responsibilities for maintaining and amending it.
- Consult staff to make sure that there is an accurate picture of processing activities, for example by using questionnaires and staff surveys.
Options to consider:
- Use a system that automatically prompts key staff or managers to update details about their information flows.
- Procure software that maps information flows through IT systems automatically.
- Assign a named staff member in each area or department to complete information audits and update details.
Have you considered the effectiveness of your accountability measures?
-
Would staff say that there was an effective process in place to identify what personal information is held across the organisation?
- Could staff explain their responsibilities and how they are carried out in practice?
- Would the record match what people were currently doing?
Control measure: There is a formal, documented, comprehensive and accurate record of all processing activities (ROPA) based on a data mapping exercise that is reviewed regularly.
Risk: Without a ROPA, there may be a breach of UK GDPR article 30. If the ROPA does not have its foundation in a data mapping exercise, it may not be complete, accurate, or contain the necessary information, and not comply with UK GDPR article 30.
Ways to meet our expectations:
-
Record processing activities in electronic form so you can add, remove and amend information easily.
-
Review the record against processing activities, policies and procedures to ensure that it remains accurate and up to date, and clearly assign responsibilities for doing this.
- Regularly review the processing activities and types of information you process for data minimisation purposes.
Options to consider:
-
Provide training to staff involved in the assessment of processing activities so they understand how to complete the data mapping exercises and update the ROPA.
Have you considered the effectiveness of your accountability measures?
- Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the information is minimised?
- Could staff explain their responsibilities and how they carry them out in practice?
Control measure: The ROPA contains all the relevant requirements set out in Article 30 of the UK GDPR.
Risk: Without a ROPA, there may be a breach of article 30 of the UK GDPR.
Ways to meet our expectations:
- Ensure the ROPA includes (as a minimum):
- your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
- the purposes of the processing;
- a description of the categories of people and of personal information;
- the categories of recipients of personal information;
- details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
- retention schedules; and
- a description of the technical and organisational security measures in place.
- Document an internal record of all processing activities carried out by any processors on behalf of your organisation.
Options to consider:
-
Where you are acting as a processor, include in the record of processing activities:
-
the name and contact details of each controller that the processor is acting on behalf of;
- where applicable, the name and contact details of the controller and processor representatives and the DPO;
- the categories of processing carried out on behalf of each controller;
- details of transfers to third countries, including documenting the transfer mechanism safeguards in place; and
- a description of the technical and organisational security measures in place.
Have you considered the effectiveness of your accountability measures?
-
Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the information is minimised?
-
Could staff explain their responsibilities and how they carry them out in practice?
Control measure: The ROPA includes links to other relevant documentation, such as contracts or records as a matter of good practice.
Risk: If there is no link between the ROPA and other relevant documentation it makes it more difficult to keep these individual records up to date, aligned and consistent.
Ways to meet our expectations:
-
The ROPA also includes, or links to, documentation covering:
-
information required for privacy notices, such as the lawful basis for the processing and the source of the personal information;
- records of consent;
- controller-processor contracts;
- the location of personal information;
- DPIA reports;
- records of personal data breaches;
- information required for processing special category information or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and
- retention and erasure policy documents.
Options to consider:
-
Combine the various documentation logging and storage systems so all relevant documentation is kept centrally in one overarching system or location.
Have you considered the effectiveness of your accountability measures?
-
Do staff understand how to access other relevant documentation linked to the ROPA?
- Is it easy for staff to access relevant documentation from the ROPA?
- Could staff explain this process and how it impacts their role?
Control measure: The lawful basis for processing personal information is documented and appropriately justified in line with Article 6 of the UK GDPR (and Articles 9 and 10, if the processing involves special category or criminal offence data).
Risk: Without properly identifying and documenting the choice of lawful basis, there is a risk that obligations under UK GDPR articles 5(1)(a), 5(2), 6, 9, and 10, or DPA 2018 schedule 1 are not met. Processing may be unlawful if no lawful basis is in place.
Ways to meet our expectations:
- Select the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.
- Document the lawful basis (or bases) relied upon and the reasons why.
- If your organisation processes special category or criminal offence data, identify and document a lawful basis for general processing and an additional condition for processing this type of information (or in the case of criminal offence data, identify the official authority to process).
- In the case of special category or criminal offence data, document consideration of the requirements of Article 9 or 10 of the UK GDPR and Schedule 1 of the DPA 2018 where relevant.
- Where Schedule 1 requires it, have an appropriate policy document including:
- which Schedule 1 conditions you are relying upon;
- what procedures you have in place to ensure compliance with the data protection principle;
- how you will treat special category or criminal offence data for retention and erasure purposes;
- a review date; and
- details of the person assigned responsibility for the processing.
- Identify the lawful basis before starting any new processing.
Options to consider:
- Determine the most appropriate lawful basis (or bases) by considering the purposes of the processing activities.
- Ensure that staff making decisions about the most appropriate lawful basis or condition, or both, are sufficiently trained to do so.
Have you considered the effectiveness of your accountability measures?
-
Are staff aware of the need to identify a lawful basis for processing personal information?
-
Can they identify an appropriate lawful basis?
- Are they aware of the additional requirements to protect special category and criminal offence data?
Control measure: Information about the purpose of the processing and the lawful basis is made publicly available. This is easy to locate, access and read.
Risk: If people are unable to locate, access and read information about the purpose of the processing and what lawful basis is relied on they will be unable to make informed choices over the use of their personal information or exercise their rights.
Ways to meet our expectations:
- Make information about the purposes of the processing, your lawful basis and relevant conditions for processing any special category or criminal offence data publicly available in your organisation's privacy notice(s).
- Provide information in an easily understandable format.
- If there is a genuine change in circumstances, or if your lawful basis must change due to a new and unanticipated purpose, inform people in a timely manner and record the changes.
Options to consider:
-
Carry out user testing to evaluate how effective privacy information is.
Have you considered the effectiveness of your accountability measures?
- Would customers agree that your privacy notice is easy to find, access and understand?
Control measure: Where relying on consent for the processing of personal information, the consent mechanism is:
- specific;
- granular;
- prominent;
- opt-in;
- documented; and
- easily withdrawn.
Risk: If consent requirements are not met, the consent gathered is not explicit and so is not valid. This could lead to a breach of UK GDPR articles 6 and 9. Without keeping these records, there may be a breach of UK GDPR article 5(2) and difficulty determining how current the recorded consent is. This risks acting inappropriately on outdated consent.
Ways to meet our expectations:
-
Ensure consent requests:
-
are kept separate from other terms and conditions;
- require a positive opt-in and do not use pre-ticked boxes;
- are clear and specific (not a pre-condition of signing up to a service);
- inform people how to withdraw consent in an easy way; and
- give your organisation’s name as well as any third parties relying on consent.
- Record what a person has consented to, including what they were told and when and how they consented. Ensure the records are thorough and easy for relevant staff to access, review and withdraw if required.
- Have evidence and examples of how consent is sought from people, for example online forms or notices, opt-in tick boxes or paper-based forms.
Options to consider:
-
Ensure consent records are comprehensive and informative.
- Make consent records readily accessible for those staff who require them.
- Consult with customers to ensure they understand the processes for managing their consent.
Have you considered the effectiveness of your accountability measures?
-
Do staff agree that the records of consent are easy to access, understand and review?
-
Do customers say that you make it easy to understand and manage consent?
Control measure: There is a proactive review of records of previously gathered consent, which demonstrates a commitment to confirming and refreshing the consents.
Risk: The nature of the processing may change sufficiently to no longer be what was consented to, if consent is not regularly reviewed. This may breach articles 6 and 9 of the UK GDPR.
Ways to meet our expectations:
-
Have a procedure in place to review consents to check that the relationship, the processing and the purposes have not changed and to record any changes.
-
Have a procedure in place to refresh consent at appropriate intervals.
- Use privacy dashboards or other preference management tools to help people manage their consent.
Options to consider:
- Check that staff are aware of the process to review consents.
- Consult with customers to check they can easily find, access and understand their consent preferences.
Have you considered the effectiveness of your accountability measures?
-
Are staff aware of the process to review consents?
-
Is the procedure easy to find, access and understand?
- Do people say it was easy to manage their consent preferences?
Control measure: There are effective systems in place to conduct risk-based age checks and, where required, to obtain and record parental or guardian consent.
Risk: Consent for information processing may not be valid or informed if:
- children are not competent to understand it;
- children are too young to provide consent themselves; or
- parental consent is not obtained and recorded, where required.
This may breach UK GDPR articles 6(1)(a) and 7, as well as article 8 and the ICO Age Appropriate Design Code (AADC) where an information society service processes children’s information.
Ways to meet our expectations:
- Make reasonable efforts to check the age of those giving consent, particularly where the person is a child.
- Ensure you have a reasonable and effective procedure to determine whether the person in question can provide their own consent, and if not, an effective way to gain and record parental or guardian consent.
- When providing online services to children, ensure there are risk-based age checking systems in place to establish age, with an appropriate level of certainty based on the risks to children's rights and freedoms.
- When providing online services to children, if the child is under 13, have records of parental or guardian consent which are regularly reviewed, and make reasonable efforts to verify that the person giving consent has parental responsibility. Give particular consideration when a child reaches the age of 13 and is able to provide their own consent.
Options to consider:
- Consult with people, including staff and customers, about whether you have a reasonable and effective way to conduct risk-based age checks, gain parental consent and review what’s in place.
Have you considered the effectiveness of your accountability measures?
- Do staff and people agree that you have a reasonable and effective way to conduct risk-based age checks, gain parental or guardian consent and review what’s in place?
Control measure: Where the lawful basis is legitimate interests, a legitimate interests assessment (LIA) has been completed prior to starting the processing.
Risk: There may be a breach under the accountability principle without a sufficient LIA in place. People’s information will be processed without being properly balanced against the interests of the data controller. This may breach article 5(2) of the UK GDPR.
Ways to meet our expectations:
- Ensure the LIA identifies the legitimate interest, the benefits of the processing and whether it is necessary.
- Include a 'balancing test' to show how your organisation determines that its legitimate interests overrides the person’s interests and consider the following issues:
- Not using people's information in intrusive ways or in ways which could cause harm, unless there is a very good reason.
- Protecting the interests of vulnerable groups such as people with learning disabilities or children.
- Whether you could introduce safeguards to reduce any potentially negative impact.
- Whether you can offer an opt-out.
- Whether you require a DPIA.
- Clearly document the decision and the assessment.
- Complete the LIA prior to the start of the processing.
- Keep the LIA under review and refresh it if changes affect the outcome.
Options to consider:
-
Consult with customers to ensure they understand how legitimate interest applies.
- Keep the LIA under review to ensure it remains the appropriate lawful basis.
Have you considered the effectiveness of your accountability measures?
-
Do staff say that the LIAs are clear and comprehensive?
- Is the review process effective?