Search

How can we help?

Icon

FAQs – Privacy Documentation

The Basics of Privacy Documentation

Upholding data protection principles and rules is important for all entities; non-compliance with such principles and rules may invite complaints to the Information Commissioner’s Office, potentially resulting in reputational damage and lead to the imposition of hefty fines.

Therefore, clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR. It is essential that such policies are communicated within an entity and staff are regularly trained on these.

Privacy documentation is a term covering a range of different documents and records, including:

  • Privacy Notices
  • Internal policies such as those on data protection, email and internet use, and data retention
  • External policies on websites such as cookie use policies
  • Internal procedure documents including subject access request procedures and data breach management
  • Data transfer agreements
  • Data protection impact assessments
  • Records of processing activities

Depending on the nature of its activities, the main documents an entity should maintain in order to be UK GDPR compliant include:

  • Data Protection Policy
  • Privacy Notice
  • Employee Privacy Notice
  • Data Retention Policy
  • Data Retention Schedule
  • Data Subject Consent Form
  • DPIA Register
  • Supplier Data Processing Agreement
  • Data Breach Response and Notification Procedure/Policy
Jordan Masters

Trainee Solicitor

View profile

+44 118 960 4662

Clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR

UK GDPR Documentation Requirements

The content of the documents listed above for a given entity will differ depending on the nature of the data processing which that entity undertakes. However, the UK GDPR requires data processors and data controllers to document various information, including:

  • The purposes of processing personal data
  • The categories of individuals whose personal data is being processed
  • The name of any third countries or international organisations that personal data is transferred to
  • A general description of the entity’s technical and organisational security measures to protect the personal data

Ensuring Compliance with UK GDPR

Further to the above, in order to demonstrate compliance with UK GDPR, an entity should:

  • Test and audit data protection measures
  • Implement technical measures to ensure compliance
  • Document and record compliance measures
  • Determine and document a lawful basis for each instance of personal data processing

Content of Privacy Notices

One of the obligations imposed on entities which process personal data is to disclose certain information regarding the data they process, including details of the intended purpose of, and the legal basis for, the processing, to data subjects at the time their data is collected; this usually done through a Privacy Notice (a hyperlink for this can often be seen at the bottom of an entity’s website).

Certain privacy documentation, such as Privacy Notices, also provide an opportunity for an entity to express its positive character and philosophy regarding data protection; an entity can adopt a Privacy Notice which is effective, but also readable and instils confidence in the data subject that their data ‘is in good hands’. Clarkslegal’s lawyers can help draft Privacy Notices in such a way.

Privacy Documentation Principles

In all data processing activities an entity undertakes, it is important that entities uphold:

  1. Lawfulness, fairness and transparency in the processing of personal data
  2. Collecting personal data for specified, explicit and legitimate purposes
  3. Accuracy in holding personal data and keeping it up to date
  4. Processing in a manner that ensures appropriate security of the personal data

Our Data Protection team is happy to advise on drafting privacy documentation and data protection compliance tailored to your organisation’s needs. If you have any questions, please do not hesitate to contact us.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jordan Masters

Trainee Solicitor

View profile

+44 118 960 4662

About this article

Read, listen and watch our latest insights

art
  • 02 December 2024
  • Litigation and dispute resolution

The Era of AI

In this recent case, the First-Tier Tribunal gave a stark warning to litigants about use of AI in litigation.

Pub
  • 26 November 2024
  • Privacy and Data Protection

Key FAQs on Data Subject Access Requests (DSARs)

Understanding Data Subject Access Requests (DSARs) is crucial for businesses. In this podcast, Lucy Densham Brown and Jacob Montague, members of the Data Protection team, have narrowed down the top frequently asked questions we receive regarding DSARs.

art
  • 04 November 2024
  • Privacy and Data Protection

FAQs – Data Subject Access Requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject.

art
  • 29 October 2024
  • Privacy and Data Protection

The ICO’s 2024-2025 priorities for protecting children’s personal information online

The Information Commissioner Officer (the “ICO”) has set out its 2024-2025 priorities for protecting children’s personal information online.

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.

art
  • 02 September 2024
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.