Data Protection 101

Do staff and volunteers in your organisation have access to the personal data of children, young people or vulnerable adults? If so, you need to make sure you have the appropriate Data Protection documentation in place.

If you are in the UK, this will allow you comply with the Data Protection Act 2018. If you trade with or transfer data to the EU, it will allow you comply with the GDPR.

More importantly, it will enable you to protect your members' personal information. When they entrust you with their data, that is a responsibility you need to take seriously and live up to.

Here are four key documents that will help you do that.

Data Protection Policy

The DPP is an internal governance document that describes how the domain of privacy is managed in your organisation. It is relevant mainly to those involved in making decisions about data processing. The DPP is the responsibility of your Data Protection Manager (or your Data Controller if your organisation processes sensitive data).

The key thing about the DPP is that it is a learning document. It is where you and your team set out what data you process, for what reasons and on what legal bases. More importantly, it is what informs the continuous reflection and adjustment the ICO requires; is your processing still meeting the ICO’s data protection principles and age appropriate design code? If not, what are you doing to ensure that it does, how, and by when? A good DPP is a live document.

The scale and complexity of your DPP will depend on the amount and type of data your organisation processes. As with all policies, it should be practical and concise. The template here is a good example.

Data Protection Impact Assessment

Another internal document, this is a pre-requisite for any organisation that processes personal data. Like the DPP above, the DPIA is the responsibility of the Data Protection Manager or equivalent.

The purpose of the DPIA is to understand the risks to data subjects of the data processing your organisation undertakes. It identifies and assesses risk, establishes control mechanisms, evaluates residual risk and determines whether it's acceptable.

While this is an internal document, the ICO (and your insurers) require you to have it in-place and it will be the first thing they ask for if you have to report a breach. The ICO provide guidance on how to prepare your DIPA here. They also provide a template here.

In all honesty, however, if you are not a Data Protection expert, this is something you should consider having prepared for you by a security consultant. I would suggest starting with providers on the IASME Consortium list, here. It will cost you but it will be money well spent.

Privacy Policy

Your PP is the public facing version of your DPP. It will be shorter and simpler but contains most of the same elements.

Your PP must be scrupulously transparent about your data processing. You must provide your members with a clear, easy to understand summary of what data you collect from them, how, why and on what bases. You must also explain your members' rights in relation to their personal data and how they can exercise them.

Treat the PP as an opportunity to connect with and reassure your data subjects about the integrity and competence of your organisation in relation to its role as controller of their data. Morally and legally it’s the right thing to do, but it’s also what people have come to expect from a trustworthy organisation.

It’s tempting to buy a template or go to a solicitor for your PP and those are both legitimate (I've done both myself). So long as what you end up with is fit for purpose, that's fine. However, my advice would be DIY. It's not rocket science and and the ICO provides very clear guidance here.

Apart from accuracy and compliance, the defining feature of a good PP is clarity. You and your members need to be able to understand it. If you write your own policy, you will understand every word and chances are, so will your members. Here's a good example.

Data Retention Policy

Lastly, the DRP. This is a public policy but also useful internally to prevent you retaining personal data for longer than you need to. The DRP in some instances will set out specifically how long you store personal data. More often it will provide the rationale for determining that period. This is legitimate and can be more helpful than trying to nail down data retention periods for every eventuality.

Again, the ICO provides good guidance for this, here. A great example of a working DRP is the template the Scouts publishes for its Groups to use, which you can find here.