GDPR Privacy Policy/Notice, Data Protection Policy and Audit - What documents to use and what is their application?

May 2018

The GDPR is now in force but that should not mark the end of your GDPR story. Indeed, for some, it may in fact mark the beginning. But wait! Shouldn’t you already be compliant? Strictly speaking, yes, of course you should. In reality, however, when a legal change as significant as the GDPR occurs, it takes time for best practice to become established.

What’s more, despite the potentially huge fines under the GDPR, this does not mean that small businesses should expect dawn raids by sinister-looking agents from the Information Commissioner’s Office. Indeed, the Information Commissioner, Elizabeth Denham, has said that the ICO is not looking to go after those showing a willingness to comply and that any action taken against those who are non-compliant will be fair and proportionate. A small business that hasn’t got it quite right, therefore, should not expect a €20m fine or anything remotely like it!

Your GDPR Journey

Here at Simply-Docs we offer a range of data protection-related documents to help you with GDPR compliance, beginning by assessing how you’re doing so far with a Data Protection Audit, then following that up with policies, impact assessments for new projects, privacy information for your customers, and handling their requests to see the personal data that you hold about them.

GDPR Audit

The Audit is a good place to start. Regardless of how you have handled data protection in the past, the GDPR presents an ideal opportunity for a refresh. Even if you think you’re already compliant, the audit may highlight areas for improvement or – in the best case – provide additional reassurance that you are indeed as good as you thought!

Our GDPR Audit template (with accompanying guidance notes ) is structured around the core principles of the GDPR and the rights of individuals (aka “data subjects”) and has been designed to assess and evaluate data protection across a number of key areas of your business.

Privacy by Design – The Data Protection Impact Assessment

Also known as a “ Privacy Impact Assessment ” (neater name, isn’t it?), this is a useful tool when planning projects that will involve the use of personal data and a valuable asset when it comes to GDPR compliance.

There are, essentially, two “lists” of circumstances in which you must carry out a Data Protection Impact Assessment – one set out in the GDPR, the other by the ICO. The former quite likely won’t apply to small businesses, but some of the latter might. You can find out more in the information accompanying our Data Protection Impact Assessment template, here .

The main point of a Data Protection Impact Assessment, however, is to ensure that privacy risks are identified and mitigated at the early stages of any project involving personal data. Mandatory or not, then, it can still be a useful thing to do when you are planning on using any personal data in a new way.

Data Protection Policies, Website Privacy Policies, and Privacy Notices: What’s the Difference?

Some businesses will only need one of these, others will need two or even three. These terms are often used interchangeably, but each document is quite different. So, what’s what?

Data Protection Policy

This is your go-to internal policy. A Data Protection Policy sets out the rights of individuals and the obligations of your business along with details of the various measures to be taken within your business to uphold those rights and comply with your obligations.

Should you show your customers? That’s up to you. There is certainly no harm in making your data protection policy available as it can add an extra layer of reassurance. On the other hand, it also contains a lot of extra detail that most individuals probably don’t want to know. That is the job of a privacy policy or privacy notice. Read on!

Website Privacy Policy

The GDPR requires that individuals are given certain information about your collection and use of their personal data.

Covering various degrees of data collection and usage, our Website Privacy Policy templates provide certain key information to users of your website about the data that you collect, how you use it, how it is stored, whether it is shared, about your use of cookies (where relevant), and about their rights under the GDPR.

But not all businesses operate online, so how do you convey this information to your offline customers? That’s next.

GDPR Privacy Notice - also sometimes referred to as Privacy Policy

A Privacy Notice does the same job as a website privacy policy but is designed for use where data is collected offline and a website isn’t involved. You might use a privacy notice in point of sale situations on your premises, for example, or when agreeing a contract for services in person. If you have what we would call a “brochure website” (one which collects no data and has no e-commerce) you could also display a privacy notice on there.

Data Retention

You’ve worked out what you do with personal data, you’ve got a policy setting out the rules that you must follow, and you’ve told individuals about it. But how long do you hold onto personal data?

Under the GDPR you should not keep personal data for any longer than necessary. Get a hold of much more than a few names and addresses, though, and it becomes very difficult to keep track. A Data Retention Policy can help.

A Data Retention Policy helps to organise everything, categorising the various types of personal data that your business collects and setting out time limits applicable to the retention of each category. In some cases, it might not be possible or practical to set a fixed time limit. In those cases, specify the criteria that you will use to determine when it’s time to get rid of the data in question.

Data Processing

Under the GDPR there are Controllers and there are Processors. The data controller is the one who determines what personal data will be used for and how it will be used (or “processed”). In most cases, if you are collecting data from your customers to use for your business, you will be a data controller. In short, if you call the shots, you’re the controller. A data processor is someone who processes personal data on behalf of a data controller, i.e. on their instructions. Both data controllers and data processors are subject to obligations laid out in the GDPR.

If a data controller wishes to use the services of a data processor, there must be a written contract in place which includes certain elements required by the GDPR. What’s more, if the data processor is located outside of the European Economic Area, additional safeguards must be in place to ensure that personal data is fully protected.

Where a data processor is processing personal data on behalf of a controller, two main approaches can be taken. A separate Data Processing Agreement can be used or, perhaps better suited to simpler scenarios, a set of Data Processing Clauses can be included in another contract – a service agreement, for example. We offer templates for both!

Subject Access Requests

This is one of the key rights bestowed upon individuals by the GDPR. Individuals have the right to ask you about the personal data you hold about them, what you do with it, and so on. You must respond to these requests quickly and (usually) for free.

To make things easier for you and for those individuals whose data you gather, we have prepared a range of templates for dealing with Subject Access Requests including a standard form for making a request in the first place, and a series of letters used for various stages (and scenarios) in your response. Find out more here.

Getting Your Contracts in Order

In addition to our range of data protection-specific content, we have also been busy updating a large number of our other business document templates for improved GDPR compatibility. In some cases, these are simple data protection clauses that simply refer to your standalone privacy notice or policy. In other cases, where there is the potential for data processing to be carried out, options have been included enabling you either to refer to a separate data processing agreement, or to use data processing clauses built in to the document itself.

With such a big portfolio, there are a few that we’ve not gotten to yet. In those cases, or if we’ve decided that personal data isn’t particularly relevant to a certain document, but you want to use it in a situation that involves personal data, our GDPR Data Protection & Processing Clauses are available to help you with your own alterations to our templates.

There’s More to Come!

As we said at the start of this newsletter, just because the GDPR date has been and gone, that doesn’t mark the end of the story. We still have more GDPR templates planned, not least a dedicated policy for handling personal data breaches. We will also be reviewing many more of our non-data-protection documents and making further enhancements for GDPR compatibility.

We also want to hear from you. We’re full of good ideas here at Simply-Docs, but we don’t always think of everything! If there’s something you want or need with respect to data protection that we don’t have – let us know! We always welcome customer input and ideas for new documents.

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Top