There is no specific legal requirement to have a data protection policy under the Data Protection Act 2018 or the General Data Protection Regulations (GDPR). However, there are some areas where such a document could prove useful.
The GDPR contains explicit provisions about documenting your processing activities:
You must maintain records on several things such as processing purposes, data sharing and retention.
Documentation can help you comply with other aspects of the GDPR and improve your data governance.
For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.
In addition, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR. You must provide individuals with information including:
your purposes for processing their personal data,
your retention periods for that personal data, and
who it will be shared with
You must provide privacy information to individuals at the time you collect their personal data from them.
If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
Using Data Processors
When seeking referrals off people in my networking group, what information is safe to gather? So, let’s say, for example, I ask Bob for referrals of our ideal client. Bob knows somebody who may be interested in our service – so passes us their contact details. Is this safe?
Samuel Poole Marketing Communications Manager Syn-Star Complete I.T. Solutions
Great question, actually in Data Protection terms it is not safe to do this unless certain things are in place.
Essentially when dealing with personal information such as contact details the person who decides what to do with the information is a data controller, in this case, Bob.
The data controller has to “process” personal data fairly (processing includes passing it to a third party i.e. you). They also have to have one of six lawful reasons to be able to process the data. The most appropriate one of which in these circumstances is the consentof the data subject. This has to be GDPR compliant consent i.e. given freely, not under duress and in full knowledge of what they are consenting to.
The data controller also has to give “privacy information” explaining how the subjects data will be used. There are specific things that have to be included in this information which often takes the form of a notice, but can also be given verbally depending on the circumstances.
It is incumbent on you to check that the necessary consent is in place for the use you wish to make of the data before acting on it.
Of course, once the information comes into your hands for marketing purposes you become a data controller, in addition, you will need to comply with the Privacy and Electronic Communications Regs in relation to electronic marketing messages (phone, fax, email or text).
Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:
the current and future value of the information;
the costs, risks and liabilities associated with retaining the information; and
the ease or difficulty of making sure it remains accurate and up to date.
There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
The CIPD have a great resource regarding HR records which can be found here.
Not necessarily, but you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR and so you can appoint a data protection officer (DPO) if that helps you meet this criteria.
The GDPR says that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
Public authorities (except for courts acting in their judicial capacity) are required to appoint a data protection officer (DPO), as is any organisation carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking); or carrying out large scale processing of special categories of data or data relating to criminal convictions and offences.
The DPO’s minimum tasks are defined in Article 39:
To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
You must ensure that:
The DPO reports to the highest management level of your organisation – ie board level.
The DPO operates independently and is not dismissed or penalised for performing their task.
Adequate resources are provided to enable DPOs to meet their GDPR obligations.
The role of DPO can be allocated to an existing employee. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. You can also contract out the role of DPO externally.
From a compliance perspective your clients are entitled to know the details of the legal entity that they are dealing with, especially if a business or tradingname is being used. If the legal trading entity is a registered body there are some very specific disclosure requirements.
The information must appear in business letters and electronic equivalents including emails. To give you peace of mind we can check out your letterheads for compliance read more…
Yes, it’s really important to get your house in order, ready for the new legislation.
You will need to get to grips with the new rights of individuals, handling subject access requests, consent, data breaches, and maybe even designating a data protection officer.
There is a responsibility to demonstrate compliance and so documenting what personal data you hold, where it came from and who you share it with is an absolute must.
The important thing is to make sure that someone in your organisation takes proper responsibility for data protection compliance in good time and has the knowledge, support and authority to do so effectively.