Do we have to have a Data Protection Policy?

There is no specific legal requirement to have a data protection policy under the Data Protection Act 2018 or the General Data Protection Regulations (GDPR).  However, there are some areas where such a document could prove useful.

Documentation

The GDPR contains explicit provisions about documenting your processing activities:

  • You must maintain records on several things such as processing purposes, data sharing and retention.
  • Documentation can help you comply with other aspects of the GDPR and improve your data governance.
  • For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.

Transparency

In addition, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR. You must provide individuals with information including:

  • your purposes for processing their personal data,
  • your retention periods for that personal data, and
  • who it will be shared with

This is called ‘privacy information’. (Some businesses give this information in a “Privacy Policy” found on many websites.)

You must provide privacy information to individuals at the time you collect their personal data from them.

If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

Using Data Processors

As well as imposing a legal obligation on data controllers (the owner of the data), to formalise their working relationship with data processors in a written contract, they are also responsible for assessing that the processor is competent to process personal data in line with the GDPR’s requirements. Part of this process is to ask to see relevant documentation, such as their privacy policy, record management policy and information security policy.