Data protection policy (GDPR-friendly for use after 25 May 2018) - Buy both DP Policies together and get one free
Estimated time to complete this document
This document is right for your organisation if:
- You hold personal data about individuals as part of your activities. This could be information about employees, donors, supporters or any other individuals.
- You are not doing anything complex with the personal data that you hold and require only a basic policy setting out the principles which your organisation follows to comply with data protection law.
- You have an existing data protection policy but require a new policy which is compliant with the General Data Protection Regulation.
- The policy will be used on or after 25 May 2018.
This document is not right for your organisation if:
- You do not hold or process any personal data about individuals.
- The information that you hold about individuals is sensitive (includes details about a person’s race, political opinions, religion, physical or mental health, sexuality, criminal record or trade union membership). If your organisation is processing sensitive personal data, bespoke advice about how you process that information is necessary.
- Your organisation is engaged in complex data processing operations or processes a large volume of personal data
- You need advice on consent statements or using data for marketing or fundraising purposes
- You do not currently have a data protection policy – instead, please use our Data Protection Act compliant policy for the period up to 25 May 2018 and consider adopting this policy for the period after that date.
Our original data protection policy (for use before 25 May 2018) is available here.
Both of these policies are currently available two-for-the-price-of-one when purchased together.
Please note: If you would like more specific advice on data protection and particularly data collection statements (including opt-ins or opt-outs), please contact BWB at firstname.lastname@example.org and a member of our legal team will be able to give an estimate for providing bespoke advice.
This is an updated version of our previous policy and is appropriate for use once the upcoming General Data Protection Regulation has become law in the UK. Please note that law and regulatory guidance in this area continues to evolve. The ICO is due to publish additional guidance on the interpretation of the GDPR. In addition, the Data Protection Bill, once enacted into legislation will impact on the interpretation of the GDPR and the data protection legislative landscape in the U.K. This policy may therefore need to be updated to reflect changes to law and guidance.
What do I need before I start?
You will need to know:
- Your organisation’s full name.
- Who does your organisation hold personal data about, for instance volunteers, employees, donors, supporters?
- The name of the role or the individual at your organisation who is or will be responsible for the organisation’s data protection compliance, e.g. data protection officer. You will also need the contact details of the person who will be performing that role.
- Whether your organisation is legally required under the GDPR to appoint a Data Protection Officer
- What security measures your organisation currently has in place or will have in place by the time this policy is implemented to protect the information that you are holding. You will need to liaise with those members of your organisation who assist with computers/ IT to find out whether you have access to the technology needed for certain security measures, for instance encryption of laptops and memory sticks.
- The name of the person at your organisation who is responsible for computers/IT.
- Whether there are any situations in which your organisation transfers personal data outside the European Economic Area.
- How regularly your organisation reviews its ICO notification (if it has one)
- How often your organisation plans to update your data protection policy
- How your organisation refers to board members, i.e. as trustees or directors.
- Whether your organisation has fewer than 250 employees
Remember: If you don’t have everything you need you can make a start, save the information and return to complete the form another time.
Q: What is the process?
A: Once you have logged in and paid for the form you will be asked a series of questions. These questions help us to create exactly the right document for you. There is lots of information to help you. Once you have finished the document it will be emailed to you with more instructions about what to do next.
Q: What if I don’t have time to complete the form?
A: If you don’t have all the information you need or if you get interrupted you can save the information you have inputted and return to the document later.
Q: What if I want more information about other policies?
A: You may find some of the other resources on BWB Get Legal helpful, there are a range of different policies available that may be useful to your organisation. If you would like more specific advice about your organisation’s circumstances, please contact BWB at email@example.com or 020 7551 7777 and a member of our legal team will be able to give an estimate for providing bespoke advice.
Q: Can my organisation use this policy prior to the implementation of the General Data Protection Regulation on 25 May 2018?
A: No – the policy specifically refers to the GDPR and so should not be effective for your organisation until 25 May 2018. However, organisations may still purchase the document now to prepare for the GDPR and this policy may be approved at management level on the basis that it will not become effective until after the GDPR has become law in the UK.
Q: What if I need a data protection policy before 25 May 2018?
A: Please refer to our older, Data Protection Act compliant data protection policy which may be used until 25 May 2018. The policy may be found here: http://getlegal.bwbllp.com/products/data-protection-policy