Data Protection Compliance - hints and tips


Tuesday 19th February 2019

Inreasingly we are being asked by (larger) clients to complete various data compliance questionnaires, or supply details of our policies. 

Following a recent egroup exchange, Tanya Squires put together an outline of the types of information that you may want to include in your response ... and some other members also made some suggestions.  We have collated the responses here.

Bascially, you need to show that you are ensuring that any data is held/transferred securely and compliantly.  You need to show that you are aware, that you have thought about it, and that you act in accordance with GDPR.  YOu may want to consider including the following information;

  • A link to your Privacy Notice (should already be a copy on your website)
  • That you have Data Processing Agreements in place with any third parties you use e.g. recruiters
  • Data security - your PC/laptop is fully encrypted e.g. with BitLocker
  • How long you keep files for after completion of a project and how you dispose of files (e.g. electronic shredder)
  • Data integrity - your PC is backed up e.g. Backblaze (or there are data backup systems in the EEA)
  • Data transfer
    • Does your data leave the EEA? E.g. if you use Google Drive, Dropbox, a computer backup system, data transfer systems such as WeTransfer (which is in the EEA)
    • Are the data transfer systems you use encrypted? End-to-end encryption better for sensitive info
    • Or your client may have their own system they like to use, e.g. encrypted email or an FTP server
    • If data leaves the EEA, do the companies you use have the EU-US Privacy Shield in place (I could be out of date on this though, at one point they were looking at phasing out the Privacy Shield...)
    • (Also, someone moved their servers to the EEA - might have been Google in which case Google Drive is now fine. Gmail stopped scanning emails for advertising targeting too, making Gmail a better option now)

Other resoursec include the ICG webinars which are still available to watch, and also a simple Goggle search for 'Data Protection Complience Statement' which will bring up various bits of boilerplate which may give you some more ideas.  Also, look at the websites of the large research agencies for their response/ documents - they will probably be too complex for a small agency, but will give you some idea of how to go about it.

Note:  this list was put together in Feb 2019.  It is not exhaustive, nor is it meant to constitute formal 'advice' or 'guidance' in any way - it is purely a starting point for your thinking.