Model Internal Policy Document along with advisory note for compliance with GDPR Dr. Ranjan Dhar, Kingston Law College BASICS OF LAW Fri, May 17, 2019, at ,12:46 PM Internal Policy Document on Management and Sharing of Data for a Company dealing with personal data A software company which is selling online cloud based products. For the purpose of selling its products they need to collect personal data of customers, collect demographic data and also the documents created by the users are also stored in the server of the company. The company therefore needs to set up its own internal policy document on management and sharing of data collected by it. Purpose of the policy: The Policy lays down the rules and regulatory principles to carry out the processing, sharing and management of personal data of users. The purpose of this policy document is to ensure that the Company processes personal data in a way as per the Guidelines provided by GDPR. The Policy also provides Operational Guidelines of the employees of the company and also provides guidance on policy implementation, supervision and accountability. The objective of this policy is to safeguard personal data and protect privacy rights of the users. Scope and importance of data sharing of the policy: The policy applies to personal data collected by the Company from the data subjects. The processing of other data e.g. additional information or anonymized data is also covered under the scope of this policy. The policy determines whether the data processing will be performed in by the Controller within the Union or data will be transferred to third country for processing. The policy declaration defines the type of data that needs to be processed. Compliance with the policy is mandatory for every employees of the company. Status of the policy: The Company has a control over the data. Any data having importance in public interest has been given open access to the public and the prior consent of the data subject regarding this disclosure of data must be taken. Anonymisation of personal data will strip off all the essential personal identifiers and will comply with personal data protection requirements. Responsibilities under the policy: The business of the company is registered under appropriate statutory provision complying with the Memorandum of Association and object of the Company. Appointment of a Data Protection Officer and a representative is necessary to deal with complaints and compliances with GDPR regulations and principles. Audit regarding processing of information and accessibility. During processing of data the organization must use end–to–end encryption and pseudeonymization or anonymization of data as per provisions mentioned in Article 32 (Security of Processing). Data privacy notice must be clearly written in an unambiguous way, and should be provided to the clients at the time of collecting the data and must be accessible to all the clients. The cause of collecting the data must be expressed to the data subject (Article 12). Implementation of suitable technical and organizational measures to protect data and such policy must adhere to data protection principles mentioned in Article 5 of GDPR. Data protection by design and default: Principles of Data Protection by Design and by Default has been followed by the company as mentioned in Article 25 of GDPR. Responsibility of management and data users: The Company uses various technical, administrative and physical procedures to keep and transmit personal data to meet the best practices. Accessibility permission of personal data is conditionally available to the data subjects. The personal data will be stored in the server of The Company till 24 months and after that, options will be given to the data subject whether to keep data by renewal system for a period of another 12 months with consideration of certain amount of money as will be informed time to time to the data subject or to remove personal data. Data subject rights: The company needs to ensure several rights to the data subject like: Rights to be informed (Privacy notices) as per Articles 12, 13 and 14; Right to access to the personal data as per Article 15; Right to correction/rectification (Article 16) and update of personal data; Right to erase (erasure) the data whenever asked by the data subject to erase it as per Article 17; Right to prevent processing of personal data as per Article 18; Right to data portability from one IT environment to another as per Article 20 etc. Internal data sharing: Data sharing is allowed freely and with a controlled manner as per the guidelines provided by GDPR regulations. The data can be transferred in this case provided that, the organisation concerned with such transfer must comply with the General data protection principles provided in the provisions mentioned under “Binding Corporate Rules” under Article 47 of GDPR. Data protection training: Every employee of the Company who are responsible for handling of data will compulsorily undergo training of data protection compliance rules and procedures. Data protection breaches: Every employee of the Company is required to circulate notification about the incident of breach as soon as possible when breach of personal data has been detected and to properly record the reason, category of data, date and time of such breach. If the personal data breach is likely to cause injury or harm to a data subject, the data controller need to communicate about such data breach to the data subject and take necessary measures to mitigate the loss of the data subject as appropriate without undue delay. In such cases, the data controller should also notify the Data Protection Officer about data breach. The notification should describe: (i) The nature of the personal data breach, including the categories and number of data subjects and data records concerned; (ii) The known and foreseeable adverse consequences of the personal data breach; and (iii) The measures taken or proposed to be taken to mitigate and address the possible adverse impacts of the personal data breach. Advisory note on impact of GDPR: The advisory note deals with the functioning of various internal policies of the organization and makes a coordinated approach for smooth working of the policies without any hindrance and making compliance with the GDPR principles. The GDPR ensures a number of protections regarding data privacy for EU data subjects and imposes significant fines and penalties of about 20 million EURO or 4% of global turnover (whichever is higher) for non-compliant data controllers and processors once it comes into force on 25th May, 2018. The Organisation (The Company) need to look at the following aspects as part of their compliance efforts: Need to develop a procedure for compliance with the GDPR principles. Urgently assess differences between the current compliance procedure & rules and the additional & essential requirements for implementing the GDPR, and analyse risks. Need to implement the data protection principles or objectives compliant to GDPR recommendations. Also need to create the accountability framework for data protection compliance. Also need to develop the operational structures needed to facilitate compliance. Need to have control over data processing activities and data transfer. Data should be processed with lawfully as mentioned in Article 6 and records of processed data need to be maintained by the Controller as per provisions made in Article 30. Need to create processes for privacy by design and privacy impact and risk assessments. Need to identify and prioritise key remediation activity to reduce your risk profile and cases of data breach.