Goodness it feels like the GDPR has been around forever!
Darn, it’s less than two weeks before I have to be GDPR compliant!
Pah – the GDPR is a lot of work!
Ready? Am I really ready?
What information do I need to provide in my policy?
Under the GDPR, which is geared towards transparency and fairness to individuals, organisations have to provide individuals with extensive information about the processing of their personal data compared to the current requirements under the Data Protection Act 1998. The GDPR (articles 13 and 14) explicitly requires data controllers to inform data subjects of the following:
Where do I start?
As mentioned, your data flow audit is the ideal starting point. You should then collate your data into the following categories which you could use as headings within your policy:
Is there anything else I should include?
If your policy is quite lengthy then consider a two tiered approach where a short form policy with a link to the full version is used. The short form should contain the main information such as the identity of the data controller, how data is collected, the legal basis for processing and the individual’s rights. The full version can be more detailed and contain tools and/or links to help individuals navigate through the document.
The Information Commissioners Office (ICO) is the independent authority set up to uphold data privacy and you can view the website here www.ico.org.uk