Protecting your business: a guide to compliant data protection documents (Incl. lawyer-drafted templates)

Key data protection documents: an overview

The specific documents that a business needs to be data protection law compliant will vary depending on the industry, size of the business and type of processing of personal data being carried out by that business. Below are some of the key documents that businesses may need to achieve UK GDPR compliance:

1. Privacy notice - it is a requirement of the UK GDPR to provide certain information to data subjects when you collect personal data about them, so that they are aware of how your business will use their personal data. This is provided via a document known as a privacy notice. It must be provided to all individuals that your business collects personal data about. Docue has a range of customisable privacy notice templates to suit different situations - this includes website visitors, staff, job applicants and investors/shareholders.

2. Internal data protection policy - this is the key policy that a business should have in place in order to manage its data protection compliance. It will set out the standards that a business must meet, and the expectations of its staff, to ensure compliance with data protection law in the UK. Docue's data protection policy template can easily be tailored to reflect your business practices.

3. Other internal policies - as well as the general DP policy above, additional policies may also be required to ensure UK GDPR compliance:

   • Data Breach Policy- a business has 72 hours to report a data breach to the ICO. Having a data breach policy in place can ensure that there are clear procedures in place for your staff to identify, minimise and report a data breach, in compliance with UK data protection laws;

   • Data Retention Policy - UK data protection laws include principles relating to storage limitation and data minimisation. These principles mean that personal data should only be kept by your business for as long as it is necessary to achieve a particular purpose. Having a clear data retention policy in place that is followed by your staff can be crucial to be able to achieve (and demonstrate) these principles;

   • Data Protection Requests Policy - individuals (known as data subjects) have a range of rights under data protection laws. A clear policy can be key for a business to be data protection compliant and handle requests legally. This policy will provide practical guidance for the business's staff, including setting out procedures to identify the individual making the request, when requests can be refused, and ensuring that requests are handled quickly (and within the timeframes set by the UK GDPR).

4. Data protection contract - if you are engaging a processor to process personal data on your behalf, it is a legal requirement to ensure that a UK GDPR-compliant contract is put in place with that processor. For example, if you use software in your business operations, the software provider may be a processor if they have access to your business's personal data (and your business will be a controller). Docue's data processing agreement (controller to processor) template is kept up to date to ensure that it contains all of the mandatory clauses required in contracts between controllers and processors under the UK GDPR, so that it is compliant with data protection laws. If you are sharing personal data with another controller, don't worry as Docue also has a data sharing agreement (controller to controller) template to cover that situation.

5. Data Protection Request Letter - all data subjects have a right to request a copy of the personal data that a business holds on them. When a data subject submits a data subject access request (sometimes known as a "DSAR"), your business is under a legal obligation to respond to it. This document is a template that can be used when responding to such requests, to ensure that the responses are made in accordance with UK data protection laws.

6. Cookie Notice - to be data protection compliant, if your website uses cookies (which almost every website does!), you’ll need to include a cookie notice on your website. A cookie notice is a statement that sets out details of which cookies the website uses and how the website owners use them, in order to tell website visitors how their personal data may be collected and processed via cookies. It is a requirement of data protection laws to provide this information to individuals visiting your website.

Why is data protection compliance so important for your business?

Failing to comply with data protection laws can have a massive impact on your business, including:

• Damage to reputation and brand: mismanaged data protection practices can lose the hard-earned trust of your customers, employees, investors, partners and suppliers. You need to be able to demonstrate that you take data protection seriously and protect the personal data that your business has access to in order to maintain trust and protect your brand.

• Regulatory action: data subjects can complain to the ICO if your business is not UK GDPR compliant, which could then lead to an ICO (the data protection regulator in the UK) investigation. This type of investigation would cause the ICO to look into your data protection practices and procedures in detail, and potentially take action where non-compliances are identified. This can include fines, enforcement notices and even criminal prosecution.

• Financial consequences: if your business is non-compliant with data protection laws, your business could be exposed to multi-million-pound fines from the ICO, as well as other legal action such as claims from data subjects for damages.

Are there any other documents or records my business needs to comply with the UK GDPR?

Depending on the nature of processing being carried out by your business and the size of your business, you may also be required to put other documents or records in place. For example, this could include:

1. Record of Processing Activities - this record is sometimes known as an “Article 30 Record" and is intended to be a full record of the personal data being processed by a business. It is a legal requirement for all businesses with over 250 employees to have and maintain this record - businesses with fewer than 250 employees must also keep this record if the processing they carry out is: (i) not occasional; (ii) could result in a risk to the rights and freedoms of individuals; or (iii) involves the processing of special categories of data or criminal conviction and offence data. The ICO's template record can be found here.

2. Legitimate Interests Assessment (LIA) - if "legitimate interests" are being relied upon by your business as a lawful basis for processing, you must carry out and record a legitimate interests assessment in respect of that processing activity. The assessment should: (i) identify a legitimate interest; (ii) show that the processing is necessary to achieve it; and (iii) balance it against the individual’s interests, rights and freedoms. The ICO's template LIA can be found here.

3. Data Protection Impact Assessment (DPIA) - you must carry out a DPIA for any processing that is likely to result in a high risk to individuals e.g. processing health data on a large scale. The ICO's template DPIA can be found here.

What else does your business need to do for UK GDPR compliance?

Complying with data protection laws is not just about having certain documents in place. The technical and organisational measures set out in your policies need to be integrated into your day-to-day business practices, including by ensuring that appropriate privacy and security training is provided to employees that handle personal data so that those measures are understood and followed.

You can find out more about UK GDPR compliance for your business via the ICO website.

How can Docue help your business with data protection compliance?

With Docue, you can easily produce UK GDPR compliant data protection documents in just minutes.

Off the shelf, standard templates don’t work when you are trying to achieve UK GDPR compliance. Documents need to be tailored to reflect the actual processing of personal data that your business carries out, otherwise they are unlikely to be compliant. That’s where Docue can help - all of our data protection templates can be easily and fully customised to meet your business’s requirements using our high-tech technology.

Want to try Docue? Signup Now!