GDPR is about ensuring you protect people’s personal data, and manage any risks associated with potential mis-management/data breaches. Responsibility for this rests with the data controller (whoever determines the means and purposes of processing personal data) and any processors (those who process data on behalf of controllers).
For each of our projects we will have a clear understanding of who is the data controller and who is the data processor. In most of our projects the data controller will be the client and Shephard & Moyes Ltd will be the data processor.
The controller is responsible for ensuring data is processed lawfully, collected for legitimate reasons, is relevant, accurate, up to date and stored securely. Controllers must have a legal basis for collecting the data – the strongest is consent (preferably written). Particularly when collecting ethnicity, religious or sexuality (sensitive data), where explicit consent is required, or it is being collected by a not-for-profit body.
Controllers need to have systems in place to ensure:
- Consent is obtained (and is in writing)
- People’s rights are facilitated (i.e. right to be informed through the privacy policy, right to access, right to remove etc)
As a processor we need to have appropriate systems in place to comply with GDPR.
We will have:
- Privacy policy in place
- Agreement with you that details how personal data will be processed securely
- Register of processing
- Data protection impact assessment (which manages risk)
In practice this means we will:
- Not ask for personal data unless it is absolutely required. We don’t need names, addresses and contact details and ask that you remove these from spreadsheets before sending to us.
- Surveys we design will normally not include personal data. If there is a need to include some (e.g. ethnicity), there will need to include a consent box and link to a privacy policy.
- If we need to contact participants directly, we will check that you have consent for us to receive their personal details before doing so. Ideally any e-surveys that are sent to participants will be sent by you (not us) – the surveys will be anonymous and we will delete the IP addresses on the SurveyMonkey export before analysing the data.