GDPR is about ensuring you protect people’s personal data, and manage any risks associated with potential mis-management/data breaches. Responsibility for this rests with the data controller (whoever determines the means and purposes of processing personal data) and any processors (those who process data on behalf of controllers).
For each of our projects we will have a clear understanding of who is the data controller and who is the data processor. In most of our projects the data controller will be the client and Shephard & Moyes Ltd will be the data processor.
The controller is responsible for ensuring data is processed lawfully, collected for legitimate reasons, is relevant, accurate, up to date and stored securely. Controllers must have a legal basis for collecting the data – the strongest is consent (preferably written). Particularly when collecting ethnicity, religious or sexuality (sensitive data), where explicit consent is required, or it is being collected by a not-for-profit body.
Controllers need to have systems in place to ensure:
- Consent is obtained (and is in writing)
As a processor we need to have appropriate systems in place to comply with GDPR.
We will have:
- Agreement with you that details how personal data will be processed securely
- Register of processing
- Data protection impact assessment (which manages risk)
In practice this means we will:
- Not ask for personal data unless it is absolutely required. We don’t need names, addresses and contact details and ask that you remove these from spreadsheets before sending to us.
- If we need to contact participants directly, we will check that you have consent for us to receive their personal details before doing so. Ideally any e-surveys that are sent to participants will be sent by you (not us) – the surveys will be anonymous and we will delete the IP addresses on the SurveyMonkey export before analysing the data.