There is no specific legal requirement to have a data protection policy under the Data Protection Act 2018 or the General Data Protection Regulations (GDPR). However, there are some areas where such a document could prove useful.
The GDPR contains explicit provisions about documenting your processing activities:
- You must maintain records on several things such as processing purposes, data sharing and retention.
- Documentation can help you comply with other aspects of the GDPR and improve your data governance.
- For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.
In addition, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR. You must provide individuals with information including:
- your purposes for processing their personal data,
- your retention periods for that personal data, and
- who it will be shared with
You must provide privacy information to individuals at the time you collect their personal data from them.
If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
Using Data Processors