PDA

View Full Version : GDPR questions



mumofone
21-05-2018, 01:19 PM
Apart from the privacy policy and retention policy are there any other documents we MUST do for GDPR? Do we HAVE to do a data audit or is it just recommended? Only started looking into this all yesterday :o

moggy
21-05-2018, 03:14 PM
We do not 'have' to have a retention policy, you can include the information in your privacy notice. Pacey have not issued one at all.
The Audit is what you do before you start, to see what info you keep and why, how, where, for how long etc. It is for your own use, not for parents (unless they request or there's an issue, ICO can request it if there is a concern).

mumofone
22-05-2018, 08:46 AM
We do not 'have' to have a retention policy, you can include the information in your privacy notice. Pacey have not issued one at all.
The Audit is what you do before you start, to see what info you keep and why, how, where, for how long etc. It is for your own use, not for parents (unless they request or there's an issue, ICO can request it if there is a concern).

Thanks Moggy- so the only compulsory document to share with parents is the privacy policy? And the data audit for our own use (and parents/ICO if requested)

moggy
22-05-2018, 12:06 PM
Thanks Moggy- so the only compulsory document to share with parents is the privacy policy? And the data audit for our own use (and parents/ICO if requested)

There is nothing so easy as a rule that says 'you must create this document'! You need to read the ICO website, it really is very well written. You can then read Pacey and the info from Sarah Neville here too. Then you need to make your choices about how you want to communicate this to your families. A Privacy Notice seems plus audit seems to be the minimum required, others are recommending more. But it depends what you include in your privacy notice. ICO website will explain it all.

Kiddleywinks
24-05-2018, 11:26 AM
You do not need a specific retention policy, but you do need to inform parents about what data you are retaining, how long for and why.
This can be done as a separate policy, or it can be done within a policy you already have, whichever is easiest.

mumofone
24-05-2018, 06:13 PM
You do not need a specific retention policy, but you do need to inform parents about what data you are retaining, how long for and why.
This can be done as a separate policy, or it can be done within a policy you already have, whichever is easiest.

Thanks kiddleywinks, im going to do a retention and privacy policy - havent even got on to what forms etc i need to change argh!