What businesses get bombarded with, when it comes to data protection is cyber security. It is true that in our modern digital age having the correct anti-virus software, encryption software and to be up to date with other information in the ISO 27000 range of standards is important. However, data protection is more than just cyber security.
Unless the policies and processes your organisation support the management of those important tools you will most likely, at some point, fall foul of data protection legislation.
Policies and Procedures
Most organisations have some regulation, or terms, that they have to satisfy in order for them to keep going. For social organisations like scout groups, or swimming clubs, there will be some relating to Health and Safety while using any facility as part of their activities.
Data protection legislation is the same, in principle, and policies need to be written so that the rules about the data collected and stored relating to individuals (including children) is clear. Procedures set out what the organisation will actually do to protect the information. Policies and procedures are not necessarily public documents. What is seen from the outside are your terms of business (or terms & conditions) and the privacy policy (should you have a website).
Terms and Conditions and Privacy Policy
For the purpose of complying with data protections legislation, terms and conditions are the external view of your policies and procedures so that people know:
- How your organisation interacts with them.
- Why their data is collected.
- How it is treated.
- What level of care is used to securely store their data.
- How it will be destroyed.
The terms and conditions will also have all of the other rules about what the individual has to do and what the responsibilities are of the organisation to ensure the expected outcome. Often part of the terms and conditions is consent from an individual so that certain activities can be undertaken by the organisation. As consent is such a large topic it will be left for another day.
For the purpose of complying with data protections legislation, a privacy policy covers how an organisation will utilise any personal information collected when an individual uses their website. If you do not have a website you do not need a privacy policy.
If you do have a website, the privacy policy is best constructed to inform individuals what information is collected and used and what is not. If any is collected it should again say how it is used and how it is not.
Lots of website only collect information to store what are called cookies that allow that website to load quicker the next time it is selected. These are called performance cookies and should still be mentioned in your privacy policy.
Other websites use cookies very differently and will provide “personalised advertisements” based on the other websites you visit. An individual should have the ability to turn these cookies off before moving further into the website. The reason why is that these cookies violate a principle called “profiling” and is covered by the rights of individuals relating to automated processes.
In general, but this may differ depending on your business, the longer document is normally the terms and conditions. If you have a very simple website the privacy policy can be just a few short paragraphs.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.