Under current legislation on data protection, almost all charities should have a Data Protection Policy. The Data Protection Policy is an internal statement of how your organisation protects the personal data it processes. With the changes resulting from the General Data Protection Regulation (GDPR) these policies will need to be reviewed. You can read more about the general impact of these changes in our GDPR guide for small charities.
This post explains what you need to cover in your Data Protection Policy and provides a free model policy for you to download and use. As with all of our data protection resources, this post comes with the important caveat that we are not lawyers! We support small charities with practical no-nonsense guides to communicating well online. So these resources should save you a lot of time but it’s prudent to get a lawyer to check them over too.
We recommend reading this post in full to get the best out of the template.
What is a Data Protection Policy and why do I need one?
A good policy makes it clear how your organisation plans to go about dealing with a certain issue. In this case, the issue is data and the policy should make it clear how your organisation will deal with data so that it complies with the legal requirements contained in the GDPR.
The legislation set out in the GDPR is principle-based rather than rule-based. This provides organisations with a large amount of flexibility in how they comply. The purpose of your data protection policy is to explain how you comply with these principles.
Having a Data Protection Policy is a legal requirement under the Data Protection Act 1998 and this continues under the GDPR.
What should I include in the Data Protection Policy?
This post and the template Data Protection Policy take their basic structure from the principles contained in the GDPR as follows.
|Responsibility||GDPR introduces the concept of a Data Protection Officer, which is an official role with certain legal responsibilities attached to it. Small charities are unlikely to need a Data Protection Officer but their Data Protection Policy should specify who in the organisation is responsible for data protection.|
|Review||The policy should state how regularly it is reviewed and should note the date of the latest review.|
|Data definition||What data is covered by the policy?|
|Breach reporting||What will happen if there is a breach?|
Lawful, fair and transparent processing
|Data audit||What data are you storing and where? How often, in what format? The policy should explain how you as an organisation will keep tabs on all the data you store. This may be listed in the policy or in a supporting document.|
|Disclosure||What to do if an individual asks to see their data.|
All data collected must be justified on the basis of one of the lawful purposes. This may be listed in the policy or in a supporting document. Where consent is relied upon, how is this tracked and what is the process of it being revoked.
How will you ensure that you are collecting the minimum amount of data for your lawful purposes?
How will you review data periodically or otherwise ensure accuracy?
What will you retain, for how long and why? What will you remove and how often / when will you do this?
Integrity and confidentiality
What measures are in place to protect data that is held within the charity’s systems. Do you take back-ups? If so how often and how long do you keep them for?