The Basics of Privacy Documentation

Upholding data protection principles and rules is important for all entities; non-compliance with such principles and rules may invite complaints to the Information Commissioner’s Office, potentially resulting in reputational damage and lead to the imposition of hefty fines.

Therefore, clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR. It is essential that such policies are communicated within an entity and staff are regularly trained on these.

Privacy documentation is a term covering a range of different documents and records, including:

• Privacy Notices

• Internal policies such as those on data protection, email and internet use, and data retention

• External policies on websites such as cookie use policies

• Internal procedure documents including subject access request procedures and data breach management

• Data transfer agreements

• Data protection impact assessments

• Records of processing activities

Depending on the nature of its activities, the main documents an entity should maintain in order to be UK GDPR compliant include:

• Data Protection Policy

• Privacy Notice

• Employee Privacy Notice

• Data Retention Policy

• Data Retention Schedule

• Data Subject Consent Form

• DPIA Register

• Supplier Data Processing Agreement

• Data Breach Response and Notification Procedure/Policy

UK GDPR Documentation Requirements

The content of the documents listed above for a given entity will differ depending on the nature of the data processing which that entity undertakes. However, the UK GDPR requires data processors and data controllers to document various information, including:

• The purposes of processing personal data

• The categories of individuals whose personal data is being processed

• The name of any third countries or international organisations that personal data is transferred to

• A general description of the entity’s technical and organisational security measures to protect the personal data

Ensuring Compliance with UK GDPR

Further to the above, in order to demonstrate compliance with UK GDPR, an entity should:

• Test and audit data protection measures

• Implement technical measures to ensure compliance

• Document and record compliance measures

• Determine and document a lawful basis for each instance of personal data processing

Content of Privacy Notices

One of the obligations imposed on entities which process personal data is to disclose certain information regarding the data they process, including details of the intended purpose of, and the legal basis for, the processing, to data subjects at the time their data is collected; this usually done through a Privacy Notice (a hyperlink for this can often be seen at the bottom of an entity’s website).

Certain privacy documentation, such as Privacy Notices, also provide an opportunity for an entity to express its positive character and philosophy regarding data protection; an entity can adopt a Privacy Notice which is effective, but also readable and instils confidence in the data subject that their data ‘is in good hands’. Clarkslegal’s lawyers can help draft Privacy Notices in such a way.

Privacy Documentation Principles

In all data processing activities an entity undertakes, it is important that entities uphold:

1. Lawfulness, fairness and transparency in the processing of personal data

2. Collecting personal data for specified, explicit and legitimate purposes

3. Accuracy in holding personal data and keeping it up to date

4. Processing in a manner that ensures appropriate security of the personal data

Our Data Protection team is happy to advise on drafting privacy documentation and data protection compliance tailored to your organisation’s needs. If you have any questions, please do not hesitate to contact us.