‘Tis the season…to review your GDPR compliance documentation
‘Tis the season to be jolly – and a really good time to review your scheme documentation! Business Crime Reduction Schemes must be GDPR compliant. Part of that is having the correct documentation within Disc, but it’s also vital that you review them periodically – and keep a record of any changes and the date of the review.
We at Disc are GDPR nerds, and proud of it, and to make things easier for BCRS Data Controllers we’ve identified the documents you need to ensure your scheme complies with legal obligations and ‘Best Practice’. All are available in the form of ‘model’ documents to customers and non-customers, completely free of charge.
The essential scheme documentation that we recommend should be in place comprises:
1) Legitimate Interest Assessment
We recommend that your Legitimate Interest Assessment is made up of three sections: the Legitimate Interest Statement, a Data Protection Impact Assessment, and a Balance of Interests Assessment.
The purpose of your Legitimate Interest Statement is to assert your right to share information in order to protect your Members’ premises, property, staff, customers or contractors from low-level crime and ASB. The document needs to define precisely the kind of processing involved (such as sharing Offenders’ data with your Members). And it must explain why, for such purposes, it’s necessary to process Offenders’ personal data without their consent.
The Data Protection Impact Assessment outlines any impacts that you processing may have on Offenders – including intended impacts such as banning them from Members’ premises, but also any possible unintended impacts (for example, sharing Offenders data outside your Membership). Where unintended impacts are identified, the document must show what processes you have put in place to mitigate them.
The last section is your Balance of Interests Assessment. Here you must show that you have balanced your Members’ rights against the rights and freedoms of the Offenders whose data you process. And you must document the reasons why, I your opinion, the former outweighs the latter.
2) Record of Processing Activity
The second essential GDPR document, this is a statement of what data you’re going to be processing and an at-a-glance summary of all the types of processing that you, undertake, the purposes of processing, your lawful basis for the processing and the ‘technical’ and the ‘organisational’ security measures in place.
3) Constitution
If your scheme is set up as an unincorporated association, or as a company limited by guarantee, you must have a Constitution which sets out the rights and roles of your Members, the way they elect their Board of Management, the roles and responsibilities of the Board, rules for voting, qualification for membership etc.
4) Rules and Protocols
This document isn’t required by GDPR – but it’s an essential one if you plan to share Offenders’ data with your Members. It defines how the scheme works, the obligations of your Members and other policies of the scheme, for example how it may process the data of young Offenders if your scheme chooses to do so.
We call your Rules & Protocols a ‘Must-Read Document’ – your Members must read, understand and agree to abide by it. The document makes each Member aware what they can (and sometime must) do, or not do. It also protects your scheme from ‘vicariously liability’ if a Member disregards any of the rules and in the process, for example, breaches data protection law including GDPR.
5) Privacy Notice for Offenders
GDPR makes it obligatory that your scheme tells Offenders exactly what your legal basis is for processing their data (in this case, ‘Legitimate interest’), what you’re going to do with it, how long you’re going to retain it, how they can contact you to ascertain what information you’ve got and how they can make a complaint about you, as Data Controller, to the Information Commissioners Officer.
6) Privacy Notice for Members
GDPR also makes it obligatory that your scheme tells its Members exactly what its legal basis is for processing their data (in this case, ‘consent’) and what it will do with it. It’s a short document (you’ll probably only be processing Members’ contact details for the purpose of administrating the scheme) but it too must inform Members of their rights under GDPR, how to complain to you and, in the very remote chance that they may wish to complain to the Information Commissioners Officer, how to do so.
Because it is obligatory under law to provide this privacy information to your Members, this too is a Must-Read Document. Like your Rules & Protocols (see above) you can add this to your Disc system so that all Members are obliged to confirm they have read and understood it when they self-certify in Disc, before they can gain access to your data.
7) Exclusion / Warning Notices
If you run an Exclusion Scheme, you’ll need an Exclusion Notice (and a Warning Notice too, if you give Offenders an official warning before excluding them). If it’s practical, you can use these documents as your Offenders’ Privacy Notice so Offenders will be told not only how they will be treated within the scheme but also how and why the scheme processes their personal data (see Offender’s Privacy Notice above).
These are the seven essential documents – though, depending on your scheme, there may be others that are pertinent to you – for example, if you operate a radio network, you may need a radio policy. In Disc, if you wish, you can designate these as Must-Read Documents too, in which case Members will be obliged to certify against them before they can access the data in your Disc system.
This may all seem daunting, but we’ve taken away the hard work with our recently updated templates. To make it easier still, we offer a document writing service, producing all your essential Scheme and GDPR documentation, uploading them into the correct place within your Disc system and checking that your system is correctly configured to match your documentation.
Normally this service costs £250 + Vat but, as it’s the season of goodwill, we’re offering this service at the special price of £200 + Vat until 31st January 2023.
So if your New Year’s Resolution is to be efficient, effective and compliant get in touch today! Email us on enquiries@littoralis.com or call 01273 900468.