But a policy isn’t something daunting. It’s simply the way you do things written down. Or as the Cambridge English Dictionary defines it: ‘a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government, or a political party’.
In fact the GDPR guidelines state that your policy should be written in clear and plain language. So get rid of any preconceived notions of some complex document and just write down how and why you are processing people’s personal information.
Here’s what your policy should include (don’t be put off by the number of bullet points!):
- The identity and contact details of the data controller (who will be processing the information).
- Why you are processing (holding and using) the information.
- What is your legal basis for data processing (in most small businesses this will be consent).
- Who you share the information with.
- If the information is stored outside of the EU and what safeguards they have in place (Quite a few CRMs and cloud based systems’ servers are in the US. Check that their safeguards are GDPR compliant).
- How long you are going to hold this information for or the criteria used to determine this (if it’s not exact).
- Acknowledge the individual’s rights.
- Acknowledge the individual’s right to withdraw consent at any time (if relevant).
- Acknowledge the individual’s right to lodge a complaint with a supervisory authority.
- If this information is a necessity or part of a contractual requirement or obligation and the possible consequences of failing to provide this information.
- The existence of any automated decision making.
- The source of the personal information (if it does not come directly from the individual).
It really isn’t that complex and if you’ve completed your information audit you’ll already have all of the answers.
Once you’ve written it it needs to be easily accessible and given to the individual when you collect their information.
And that’s all there is to it really.
Writing your policy is just the final stage in pulling together all of the work you’ve done so far and putting it into a document. So don’t let the word ‘policy’ put you off: just get writing!
If you’d like some further advice why not look at the Information Commissioner’s Office’s guidelines here: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/your-privacy-notice-checklist/