In the second blog about the documentation needed to support GDPR compliance, we outline the data protection policy.
Why you need a data protection policy
The data protection policy is the foundation of a school’s compliance with the UK GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, and from which other policies, procedures and processes are based. It is an internal document that outlines the organisation’s data protection practices, the expectations placed on employees to support this compliance and the organisation’s commitment to preventing data breaches.
The data protection policy is the first piece of evidence the regulator asks to see when investigating an incident. This helps it understand how the school demonstrates compliance and whether the violation was due to a mistake or widespread neglect of the GDPR’s requirements.
How to write a data protection policy
Because it is designed for staff, the data protection policy should be written in a way they understand and not just for data protection experts. Staff should be asked to review and agree to the policy, and a record should be kept of this.
What should the data protection policy include?
- DPO’s contact details
The policy needs to include the name and contact details of your DPO (data protection officer) and, if they are outsourced, details of the organisation they work for.
- Policy purpose
This is an explanation of the purpose of the policy, how the policy relates to the UK GDPR, the importance of compliance and why the policy is necessary.
- Commitment to the UK GDPR
The school’s commitment to complying with the GDPR should also be outlined. This reinforces to staff the significance of data protection and their role within it.
It is important that staff understand the policy, and defining the key terms and data protection terminology used helps. This includes terms such as ‘data controller’, ‘data processor’ and ‘data subject’, which may confuse general staff.
- The scope
This explains what and who the policy applies to – in the case of the UK GDPR, this would be UK residents’ personal information and anyone in the organisation who processes it. It is also an opportunity to define the types of information the UK GDPR applies to, such as special category and children’s data, which warrants extra protection.
- The data processing principles
This is an explanation of the GDPR’s six data processing principles, as well as accountability, and the school’s commitment to them.
- Data subject rights
This explains the eight rights of data subjects and how you will ensure they are met. We discuss these in another blog, What documentation do you need to support your school’s GDPR compliance?
How to share the data protection policy with staff
As part of the organisation’s accountability to the UK GDPR, the data protection policy should be made available to all staff. An annual record should also be kept showing that staff have seen and agreed to the policy. This record provides evidence that the policy is a working document that staff understand and agree to follow. Again, the regulator will expect to see this evidence if there is an incident.
Share and manage policies in GDPR.co.uk
GDPR’s policies and procedures area asks staff to review and approve each policy when it is added to the system. We also include a data protection policy template from our sister company, IT Governance Publishing in the software.