These Dos and Don’ts are not meant to be exhaustive, but to provide a quick reference guide to the type of consideration and action to take now the new Data Protection Act is in force. If you have any questions, please contact the DPO or call 01306 879354.
General GDPR:
- DO – keep your Information Asset Registers updated. If new processes are introduced to or by your Business Unit, these need to be reflected in your IARs. They are working documents
- DO – continue to monitor, archive and destroy data where necessary, in accordance with the corporate Records Retention and Disposal Schedule
- DO – question requests to pass personal and/or sensitive data to a third party, even internally. Ask yourself why – what is the reason and, most importantly, the Legal Basis for doing so
- DO – contact the Data Protection Officer, Tom Penlington, if you have questions of any kind regarding data protection
- DON’T – sit on reporting a data breach if you are aware of one. Take action immediately: inform the Data Protection Officer by way of the personal data breach process
- DON’T – ignore a Subject Access Request or Data Subjects Right (request). We only have one calendar month to comply with these requests.
- DON’T – do nothing if the software your Business Unit uses is not UK GDPR compliant and requests such as ‘right to erasure’ cannot be complied with. Make yourself familiar with the guidance on Molly and inform the DPO
- DON’T – start a new project without considering the data protection implications of that project. If there are any such implications, you will need to appoint a UK GDPR Lead and complete a Data Protection Impact Assessment. For further information please contact Tom or Kate.
Emails:
- DO – carefully set up Contacts if using Outlook to send your emails (double-checking the details are correct for each contact before saving them)
- DO – Draft new emails before typing in the recipient(s) email address(es)
- DO – follow the personal data breach process immediately on becoming aware of an email breach (e.g. sending to the wrong person) and immediately send the required reporting form to the Data Protection Officer (cc’ing in your line manager and Executive Head)
- DO – activate the email setting to delay when your emails leave your sent box. This provides a ‘safety net’ so you may cancel sending an email in Office 365’s Outlook (up to 30 seconds), and offline Outlook (1 to 120 minutes)
- DO – double check all attachment(s)to ensure that they are: (i) correct (for example not confused with a separate but similarly named file), and (ii) do not contain personal data that shouldn’t be sent to the named recipient(s)
- DO – be aware of the dangers of autocomplete. Regularly delete external email addresses as they automatically come up in the “send to” field.
- DON’T – deviate from keeping your email correspondence professional, factual and without expressing personal opinion (unless this is reasonably necessary in connection with your work)
- DON’T – send an email before double-checking you are sending to the correct person or people (for example, an incorrect group or someone else with a similar email address) BEFORE clicking ‘Send’
- DON’T – send an email out addressed to multiple recipients with their email addresses included in the “To” field. Your default option needs to be to blind carbon copy (Bcc) the email addresses where appropriate (generally for all external emails) instead
- DON’T – send high risk or sensitive personal data via normal email channels. Instead, use the much more secure method of sharing via Onedrive (a function of Office 365). If you have any questions about using this function, please direct them to ICT