Step 8 of our workbook records that your staff have read and acknowledged their responsibilities under the GDPR by reading your practice Information Security Policy.
What is an Information Security Policy?
We have published a guide “Information Security Policy” on our support portal, the Supporting Documents section. The introduction to this document says:
This Information Security Policy is designed to provide your organisation with detailed guidance on common IT processes and procedures, and some good practice. It is intended to cover the Information Technology required for the GDPR.
In other words, it informs staff how they need to behave when using IT and data in your practice.
What do staff need to do?
To complete this section you will need to direct your staff to read our detailed Information Security Policy Review. This is a supporting document you can access on your GDPR support portal.
Record individual compliance with this obligation on the Workbook log, section 8. For completeness, you should ensure that you download the draft Security Awareness Training acknowledgement and each staff member should sign as appropriate.
Is this a one-off exercise?
You will need to repeat the process annually, for existing staff, and as part of your induction processes for new staff. If the rules change we will update the various guides and templates.
How long did this take?
This week, I find myself, again, unable to offer readers a time budget for this process. My small practice has no staff. I suspect setting up the necessary systems would take an hour or two to organise, and then you will need to chase up staff to comply.
Have you obtained a copy of our GDPR Workbook yet?
I will continue to record my progress in completing the Workbook for my practice and will aim to be compliant before the 25 May 2018 deadline. A list of my posts, for those who need to catch up, are listed here.