GDPR Myth Busting – We have to have a Data Protection Policy

No, you don’t. A data protection policy will help you address data protection in a consistent manner and demonstrate accountability, but it is not a legal requirement.

However, individuals have a right to know that you are collecting their data, why you are processing it and who you are sharing it with.

You should publish this privacy information on your website and within any forms or letters, you send to individuals.

What information you supply depends on whether you obtained the personal data directly from the individual or a third party.

It is not good practice to copy other companies privacy notices as it will not reflect your processing activities and this type of superficial compliance is very easy for a regulator to spot and challenge.

Find out more