GDPRToolkit

GDPR TOOLKIT

Following GDPR presentations to 160 Charities and Small Businesses and 60 Sports Clubs I have developed, sold, supported and updated this GDPR Toolkit

CONTENTS

Part 1 GDPR Toolkit

GDPRToolkit READ ME GUIDE.docx

GDPRToolkit Audit checklist for compliance.docx
GDPRToolkit Board Report (Template).docx
GDPRToolkit Breach policy and procedure.docx
GDPRToolkit Complaints procedure.docx
GDPRToolkit Data portability policy and procedure.docx
GDPRToolkit Data protection impact assessment procedure.docx
GDPRToolkit Data protection officer (DPO) job description.docx
GDPRToolkit Data Protection Policy.docx
GDPRToolkit Information security policy.docx
GDPRToolkit International data transfer.docx
GDPRToolkit Mapping policy, procedure and forms.docx
GDPRToolkit Opt-In Approach.docx
GDPRToolkit Privacy policy, procedure and notice.docx
GDPRToolkit Processor-Controller Agreement.docx
GDPRToolkit Retention of records procedure.docx
GDPRToolkit Subject Access Request Form.docx
GDPRToolkit Subject Access Request Procedure.docx
GDPRToolkit Training policy and form.docx

Useful Links for GDPR.pdf


Part 2 GDPR Reference Material

UK Templates
Data-Controllers-Questionnaire-Electronic.docx
Data-Processors-Questionnaire-Electronic.docx

gdpr-documentation-controller-template.xlsx
gdpr-documentation-processor-template.xlsx

Jersey Law
GDPR Jersey L-03-2018.pdf
GDPR Jersey L-04-2018.pdf
Jersey-Laws-GDPR-Table-of-Equivalences-05.12.17.pdf

Jersey Guidance
GDPR Jersey Guidance Overview-2017.05.24.pdf
2018.03.13-Duties-of-Data-Controllers.pdf
2018.03.13-Guidance-on-Breach-Reporting.pdf
2018.03.22-Guidance-on-Criminal-Offences-and-Civil-Remedies.pdf
2018.03.22-Guidance-on-Registration-of-Controllers-and-Processors.pdf
2018.03.22-Guidance-on-Sanctions.pdf
2018.03.22-Key-Definitions.pdf
2018.03.22-The-Data-Protection-Principles.pdf
2018.04.11-Guidance-for-SMEs.docx.pdf

Guernsey Guidance
GDPR Guernsey P_2017_93 2017.pdf

EU Guidance
GDPR EU LEX_32016R0679_EN_TXT.pdf

I provide all the templates below and additionally can help customise them to exactly suit the needs of your organisation (usually a couple of hours, although that depends on the scale and complexity of the organisation). I can also provide the training for the staff as well as the assurance and oversight for the Board, Committee or Trustees.

1 The first step is to identify someone to be the data champion to co-ordinate all the work Data protection officer (DPO) job description
2 The next step you need to do is understand what data you have got. Mapping policy, procedure and forms
3 The next step is to develop a data protection policy about the roles, goals and controls to protect the data. Data Protection Policy
4 The next step is to consider what data needs to be kept or deleted Retention of records procedure
5 The next step is to consider information security and the people, process and technology safeguards over data Information security policy
6 The next step is to consider any particular risks and actions with the remaining data Data protection impact assessment procedure
7 Be clear on when to outsource data and the due diligence needed and controls demanded International data transfer policy, procedure and forms
8 Then consider the processor-controller or other controls to be applied to anyone who shares data Processor-Controller Agreement
9 When you know about the data, the policies and procedures and the suppliers you can provide a Privacy Notice Privacy policy, procedure and notice
10 When you know everything for a Privacy Notice you can also satisfy a subject access request Subject access request form and procedure
11 When you know everything for a subject access request you can also do a Breach Notification Breach policy and procedure
15 When you have clarity on policy and procedures ensure staff understand and follow them Training policy and form
16 When you have clarity on policy and procedures ensure they are being followed Audit checklist for compliance
17 If something goes wrong with the above you may need to manage complaints Complaints procedure
18 In some cases they may be entitled to take back their data or move it somewhere else Data portability policy, procedure and forms

The GDPR Toolkit comes with a complete guide, rather like a D.I.Y. self-assembly, telling you the bits you need for your business.

I am also able to maintain and update the toolkit with any new guidance coming from the ICO so that the toolkit remains relevant and up-to-date with new legislation and regulation.

Contact timhjrogers@adaptconsultingcompany.com

SAMPLE

GDPRToolkit READ ME GUIDE

FEEDBACK

Here is some of the feedback I have received

I think yesterday went very well – in fact I think it is the best money we have spent for a while. The reason I say this is because you have given us some very practical pointers which we feel is relevant to our business – others have simply bamboozled us with high tech tools and tried to scare us into purchasing them TG – Hollcameron

From the outset Tim’s style, manner and pragmatic approach distinguished him from other consultants. For one, he was deeply knowledgeable and enthusiastic about the topic and we had a real sense of being supported by someone with a clear focus on achieving our objectives. Tim was happy to adopt our chosen preference for one to one engagement and desire to address the detail of the practical implications. He was able to distil complex matters into readily understandable actions. Our lasting impression of Tim’s work with us is one of ease of communication, total commitment and a reassuring knowledge of the subject matter. SE CommunitySavings

“cracking presentation. You managed to take most of the scariness out of the subject and give them some practical advice and guidance on how to proceed, with the law and with their policies” LP Association of Jersey Charities

Tim delivered workshops to our member charities on the subject of GDPR. He managed to take all the scariness out of the subject and gave them good clear advice on how to write their policies and how to deal with the law. Furthermore he has given his services to individual charities free of charge.
Thank you Tim! Lyn Wilton, Administrator, Association of Jersey Charities:

We particularly appreciated the way in which you took the complex world of GDPR and presented practical ideas and solutions for sports clubs and associations to consider. All of the information was brought to life with scenarios that the sports community can relate to, many of whom are volunteers. Your approach to making this topic understandable with a focus on supporting sports is refreshing and valued.
The discussions your sessions have created are really positive. James Tilly, Jersey Sport: Workshops for 60 people across 35 different sports

ALTERNATIVE OPTIONS

If you are looking for an alternative you can download a GDPR toolkit for £500 from ITGovernance co uk However their toolkit is doesn’t understand the Jersey legislation or ensure people actually understand and follow the agreed policies and procedures. Other tool kits range in price from £1100 to £2500.

Or if you prefer to create your own policies, procedures, guidance and templates I can thoroughly recommend the resources available on the ThinkGDPR website here. https://thinkgdpr.org/resources/

HANDS-ON HELP, SUPPORT, GUIDANCE AND TRAINING

Most Charities or Small Businesses will not need a Data Processing Officer DPO and may be better advised to have an in-house “data protection champion” to co-ordinate and oversee the necessary tasks for GDPR compliance.

As well as providing templates, support, guidance and training Adapt Consulting Company can offer external, independent appraisal of your GDPR measures as well as a review, report, assurance and oversight for the Board, Committee or Trustees.

LICENCE, WARRANTY AND DISCLAIMER

GDPR can be complicated and there are different laws in UK, EU, Jersey and Guernsey. Simply having Templates, Documents, Samples and Guidance does not make you compliant.

The reason for this disclaimer is that I cannot warrant or guarantee materials for every system or circumstance or jurisdiction and the client/user/recipient is obliged to review, test and where necessary customise or take advice to generally assert that they are satisfied before using this “live”.