Short Form Data Protection Policy
Whatever business you’re in, it is likely that you handle some form of personal data. If so, you must ensure that you collect, hold, and process that data in compliance with UK data protection law.
Personal data is defined as ‘any information relating to an identified or identifiable natural person (a ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.’ In short, what this translates to, is that if you hold any data that identifies a person (even by seemingly more indirect means) you are holding personal data.
At present, the most important piece of data protection legislation is the EU General Data Protection Regulation or “GDPR”. Due to its territorial scope, however, the real-world application of the GDPR extends far beyond Europe. Consequently, whatever the outcome of Brexit (including a “no-deal” scenario), the GDPR will remain of key importance. In many areas of compliance, this will be good news as it is currently the UK government’s plan to replace the GDPR with a “UK-GDPR” upon the UK’s departure from the EU. In many cases, the UK-GDPR will be just the same as its European counterpart.
New Short-Form Policy
Following on from the updates to our GDPR Data Protection Policy template in January, we have now published a “short-form” version of it with a view to making a policy that is easier to navigate, leaving details of specific compliance measures and procedures to their own dedicated policies.
Just as our original GDPR Data Protection Policy was, at the time of publication, described as a “living document”, so too will its shorter sibling be. As we continue our “one-year review” of our data protection content, we will be producing further focused policy templates dealing with specific areas of data protection, beginning with a Subject Access Request Policy, due for release next month. As these documents are added to our portfolio, this short-form policy template will see further detailed provisions replaced with simple cross references.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.