Welcome to the IRMS General Data Protection Regulation Resource Hub
Welcome to this designated area of the IRMS website that will look specifically at what resources information and records managers can use to help with their General Data Protection Regulation (GDPR) implementation and ongoing compliance.
These resources are a mixture of internal and external sources and documents. If they are available here it is because our members have found them to be useful and insightful. This site is not intended to rate or 'approve' documentation and their accuracy in any way therefore the IRMS does not take responsibility for any third party content.
Where can I find a copy of the GDPR?
A copy of the legal text, including all the recitals, can be found on the EU legal website here.
You can also find a breakdown of what is required on the Information Commissioner's website (UK) or, for our Ireland members, on the Irish Data Protection Commissioner's website.
The Information Commissioner for the UK also has resources on their website for the requirements of the Data Protection Act 2018.
How does Information & Records Management help me manage Data Protection?
The key principle to good information and records management is knowing what you have, where it comes from, what it gets used for and where it ends up. One of the 12 steps to implementation, as outlined by the Information Commissioner, states that in order for you to get a grips in what parts of GDPR you'll need to action you need to take stock of what personal information you have and all the context that surrounds it.
One of the key principles of Data Protection is ensuring that personal information is not kept for any longer than is necessary. A robust records lifecycle can help your staff manage this, especially if you know what records you keep and what might be the legal or recommended maximum or minimum retention period. Knowing and documenting this will help you be transparent with the individuals you are collecting data from and will help you see what grounds information is being processed under, especially if you are expected to keep certain records for set periods.
What is Article 30 of the GDPR?
Article 30 of the GDPR forms part of the accountability principle that is 'new' to Data Protection. This requires certain Data Controllers and Processors to maintain accurate records of what processing of personal they are doing and what controls they put in place to control that processing. This is referred to in the GDPR as your 'Records of Processing Activities' or ROPA for short.
The Information Commissioner's Office have produced some templates for what ROPA might look like for your organisation. For those with experience doing information asset management this is very similar to an information asset register. It is therefore recommended that your ROPA evidence is linked to your information asset register (or even they are one and the same thing) as this will make it easier to manage.
What is an 'information audit' and how does this help me?
In order to know certain things to put in your privacy notice you'll have to know as much as you can about what personal information your organisation is using and how it is using it. Either manually or using technology you'll need to find out what information you hold the map out;
- Where it came from & how it got here
- Why it is here & what purpose it serves
- What is your lawful reason for using it
- Where it is stored and how it is protected
- Who it might get shared with and how (including legally how it can be shared)
- How long it is needed for in its identifiable format
- How and when it will be destroyed
To make your audit effective you'll need to capture details of each stage of the lifecycle of that personal data. From it's creation or receipt from a third party right the way through to the criteria and method for its destruction or onward transfer.
Where can I find out what others are doing?
As a member of the IRMS you have access to over 1100 professionals that are in a similar position as you. The IRMS has various methods for you to network and contact other members including;
- Attending one of our events either locally or with a special interest to see best practice on GDPR, SharePoint, Information Security, Records Management plus much more.
- Attending our annual conference to learn about GDPR and many more Information & Records Management issues.
- Registering to be part of a group to access meeting resources, attend meetings and contact members via their forums
- Downloading the website app for Apple or Android and posting questions to your member contacts (or even via the website if you're a member)