August 15, 2020

Volume X, Number 228

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

Data Protection Compliance: Do You Have an Appropriate Policy Document in Place?

Just because 25 May 2018 has passed does not mean that data protection compliance has ended! The Data Protection Act 2018 (“DPA”) works with the GDPR, and introduces additional requirements that businesses will need to watch out for; there are however a number of derogations that are intended to better accommodate business needs.

Special Categories of Processing

Schedule 1, Parts 1 and 2 of the DPA state that if, as an employer, you want to engage in either of the following you must have an appropriate policy document:

  1. Equality of opportunity or treatment (diversity).
  2. Monitoring racial and ethnic diversity at senior levels of the organization (diversity).

What is an “Appropriate Policy Document”?

This is a new requirement under the DPA. It should be a separate document to your other data protection documents and needs to set out at a minimum

  • The relevant condition and lawful basis for processing;
  • What security measures are in place;
  • How the data is used;
  • Who the data will be shared with;
  • Information on data subject rights;
  • The retention period/criteria for erasure of the personal data; and
  • How the processing activity complies with obligations relating to: transparency, accuracy and data minimisation.

Once you have a policy document in place, you must be able to demonstrate compliance with the terms of it, for example through training programmes, employee guidance, etc. You must also keep the records of the processing up to date, they should include:

  • The condition of the DPA relied upon;
  • Retention and erasure periods; and
  • Categories of data subject.

Emma Yaltaghian contributed to this post.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume VIII, Number 281


About this Author

Ann J. LaFrance Data Privacy & Cybersecurity Attorney Squire Patton Boggs New York, NY & Washington DC

Ann LaFrance co-chairs the firm’s global Data Privacy & Cybersecurity Practice and is a senior member of the international Communications Practice.

In addition to advising clients on national and cross-border data privacy and cybersecurity matters, Ann has experience counselling clients on a broad range of legal and regulatory issues affecting the provision of internet and digital services, as well as advanced technologies. She has particular expertise advising on issues of concern to technology, media and telecommunications companies and she frequently serves as an adviser to...