The GDPR provides a limited exemption for small and medium-sized organizations. Since Winmore employs fewer than 250 people, we need only document processing activities that:
- are not occasional; or
- are likely to result in a risk to the rights and freedoms of individuals; or
- involve special category data or criminal conviction and offense data.
For these and related reasons, Winmore created this process for assessing whether a request or instruction from our customer regarding processing a customer’s personal data is lawful.
Prohibited Data Processing
Winmore personnel has limited ability to access data submitted by its customers to the Winmore product. However, all Winmore staff are made aware of prohibited data processing, including these prohibitions on certain data processing:
- Winmore must not regularly process personal data for our customers outside the context of the Winmore product. (e.g., must not process data for our customers outside of Winmore software systems more than just a one-off occurrence or something done rarely)
- Winmore must not process any personal data that is likely to result in a risk to the rights and freedoms of individuals. (e.g., something that might be intrusive or adversely affect an individual’s personal privacy)
- Winmore must not process any personal data involving special category data or criminal conviction and offense data (as defined by Article 9 and Article 10 of the GDPR).
Expectations of Our Customers
Winmore is the data processor for our customer’s data. Winmore processes data our customers enter into our products or instruct us to process on their behalf. Winmore’s customers decide what to enter. Winmore generally has no knowledge about what is being stored. However, our understanding is that typically the information includes business-related information about our customers’ customers (e.g. names, business addresses, work phone numbers, work email addresses etc.), prospects and/or sales leads.
As the data controller, our customers are responsible for, and must be able to demonstrate compliance to a supervising authority. Winmore expects that our customers are:
- Documenting the lawful basis for their processing of personal data;
- Ensuring that data is only kept for as long as it meets that basis;
- Ensuring that data is accurate and up to date; and
- Using Winmore security to control data access so that only approved personnel can access it.
Process for Documenting Personal Data Processing
Since Winmore employs fewer than 250 people, we need not document some or all of our processing activities, however, we think it is still good practice to do so. Keeping records on what personal data we hold, why we hold it and who we share it with may helps us manage the data more effectively and comply with other aspects of the GDPR.
The Winmore process for documenting personal data processing is described here, and we are exploring the notion of sharing it with our customers, as best practices.
Start by doing an information audit or data-mapping exercise to clarify what personal data the organization holds and where. Engage people across the organization. Obtain senior management buy-in so that the documentation exercise is supported and well resourced.
Steps to Take
After having a basic idea of what personal data we have and where it is held, these three steps will help you with the documentation:
1. Devise a questionnaire – Use straightforward questions that will prompt answers to the areas requiring documentation.
- Why do you use personal data?
- About whom do you hold information?
- What information do you hold about them?
- With whom do you share it?
- For how long do you hold it?
- How do you keep it safe?
2. Meet directly with key business functions – Gain a better understanding of how certain parts of the organization use data.
- Winmore staff can help answer questions about technical security measures.
- Information governance staff should be able to provide information on retention periods.
- Legal and compliance staff may hold details of any data-sharing arrangements.
3. Locate and review policies, procedures, contracts and agreements – Compare and contrast intended and actual data processing activities.
- Privacy policies
- Data protection policies
- Data retention policies
- Data security policies
- System use procedures
- Data processor contracts
- Data sharing agreements
Document the Findings
The documentation of the processing activities must be in writing; this can be in paper or electronic form.
Document your organization’s processing activities in a granular and meaningful way. Know that a generic list of pieces of information with no meaningful links between them will not meet the GDPR documentation requirements.