It is essential that the correct information is contained within the policy and notice, so you may wish to consider asking a GDPR expert to draft a document that works for your business. GDPR is the General Data Protection Regulation and is an update of the old Data Protection Act, which all companies were also required to comply with.
- The name and contact details of your company.
- The name and contact details of your representative.
- The contact details of your Data Protection Office (if you are required to have one).
- The reason you are processing data – be clear why you are using people’s personal data. This can be for a variety of reasons, such as to process orders, provide services, staff administration or marketing. (If you are using data for marketing purposes, you must obtain “consent” to hold such data – see below).
- The legitimate reason for processing the data, whether by your company or a third party. When you rely on legitimate interest, you need to comply with Article 6(1)(f) of the UK GDPR. For the majority of organisations, the reason for holding data will be covered under legitimate interest, as you need the data to be able to fulfil the contract/services you have entered into with an individual or another company.
- Details of any transfers of personal data that you may make to any third parties, countries or international organisations. For example, if you are sharing/transferring that data to a third party – do you know what their provisions are for holding data?
- Explain the legal rights that are available to individuals relevant to how you are using their personal data, how they access it, amend it, ask for it to be deleted, how to raise an objection for you holding their data and the portability of that data.
- Be clear about how a company or individual can complain about the use of their data or any breach they may consider there to have been. For UK companies, this is the ICO and you should include their contact details in your policy.
- For some companies, there may be statutory, contractual or regulatory obligations to provide personal data. In these instances, you must let the individual know that they are required to provide data to you under those categories and what will happen if they do not provide such data.
If you would like to book a free 20 minute call to discuss any of the above information in more detail, please contact: Vicky Simpson – firstname.lastname@example.org