Decision Marketing Data Clinic: DPDI record keeping

DM ClinicThe Government’s proposed data reforms – under the Data Protection and Digital Information (No. 2) Bill – is at Committee Stage in the House of Lords. It is expected to have huge consequences for the marketing industry, but, as ever, many businesses are in the dark about what the overhaul means for them and their operations.

In the third article in our series, we have joined forces with Sagacity to gain a greater understanding into the implication for record keeping under the new Bill.

Some might say that the UK GDPR is seen as a burdensome and stifling regulation six years after it came into effect. With the impending DPDI Bill, we are now looking at supplementary clauses that will not replace the UK GDPR but relax some of the barriers the regulations created and make it more manageable, while maintaining high data protection standards.

The aim is to create, in the words of the Secretary of State, “…a new UK data rights regime tailor-made for our needs”, while simultaneously reducing burdens on UK businesses and researchers, and boosting the economy by £4.7 billion over the next decade.

In this article. we investigate the changes around privacy management programmes (PMP), record keeping and risk assessments, such as data protection impact assessments.

Records of processing activities and data protection balancing assessments are set to be replaced as the Government moves forward and will require organisations to implement a PMP.

On reflection, any organisations which already aligns to the principles of the UK GDPR should not be too concerned with implementing a PMP, as they will already have the correct requirements and procedures in place based around their own processing activities.

But we shouldn’t dismiss how important a PMP programme can be for any organisation. PMPs are a very important framework for any organisation, and they have some core components, such as data governance, policies and procedures to guide staff, training and awareness, setting privacy rights, incident planning, risk management and auditing.

Record keeping
Under UK GDPR, organisations are required to keep a ROPA (record of processing activity). The only exemption to this is organisations which have less than 250 employees and where the processing of information is of low risk or does not involve special categories of data and/or criminal conviction data.

The DPDI Bill proposes controllers and processors are exempt from this obligation unless they carry out high-risk processing activities. So, essentially, organisations would only be required to keep an “appropriate” record.

As with the PMP process, I believe this a core document that organisations need to have and keep updated. It astonishes me how an organisation cannot have a ROPA in place or some way of understanding what information and data they are processing at any given point – what is essentially under the bonnet – especially in terms of the dreaded data breach scenario. How would an organisation understand what has been breached or lost if not recorded?

Risk assessments
Under UK GDPR, organisations are required to conduct a Data Protection Impact Assessment (DPIA) for high-risk processing activities. Many of the European regulators, including our own ICO, provide a list of examples of when a DPIA must be conducted and when it is appropriate.

DPIAs are a great tool to identify and mitigate privacy risks prior to the launch of any processing involving PII. Under the new Bill, organisations will no longer be required to conduct a DPIA but will need to have an alternative risk-based approach to cover the same outcome and be able to evidence those outcomes.

Once again, a DPIA is a great tool to justify the nature, scope, context and purpose of the processing and there are some great DPIA templates which enable any organisation to question if the processing is likely to result in high risk to individuals. A DPIA records all of those decisions and outcomes at any given point, which is a solid base to judge a decision on, and which in turn also creates an audit trail of the decision made.

There are therefore positives to have PMPs, ROPA, and balancing tests, all of which are key parts to any organisation and align to the principles of the UK GDPR.

Andy Bridges is data governance officer at Sagacity Solutions

Print Friendly