Data Protection Compliance: Do You Have an Appropriate Policy Document in Place?
Just because 25 May 2018 has passed does not mean that data protection compliance has ended! The Data Protection Act 2018 (“DPA”) works with the GDPR, and introduces additional requirements that businesses will need to watch out for; there are however a number of derogations that are intended to better accommodate business needs.
Special Categories of Processing
Schedule 1, Parts 1 and 2 of the DPA state that if, as an employer, you want to engage in either of the following you must have an appropriate policy document:
- Equality of opportunity or treatment (diversity).
- Monitoring racial and ethnic diversity at senior levels of the organization (diversity).
What is an “Appropriate Policy Document”?
This is a new requirement under the DPA. It should be a separate document to your other data protection documents and needs to set out at a minimum
- The relevant condition and lawful basis for processing;
- What security measures are in place;
- How the data is used;
- Who the data will be shared with;
- Information on data subject rights;
- The retention period/criteria for erasure of the personal data; and
- How the processing activity complies with obligations relating to: transparency, accuracy and data minimisation.
Once you have a policy document in place, you must be able to demonstrate compliance with the terms of it, for example through training programmes, employee guidance, etc. You must also keep the records of the processing up to date, they should include:
- The condition of the DPA relied upon;
- Retention and erasure periods; and
- Categories of data subject.
Emma Yaltaghian contributed to this post.