Data protection policy
Written with our partners at:
What's a data protection policy, and when do you need it?
This policy informs those who work for you how you will handle their personal data. Although it is not strictly necessary to have a policy under data protection laws, it is recommended that you do as it acts as a point of reference for those that work for you and it helps to demonstrate compliance with the UK’s quite strict data protection laws.
‘Personal Data’ means any information from which a living individual (called a Data Subject) can be identified. It does not include information which has been anonymised. Personal Data can come in many forms: at is simplest it may be a name, address and telephone number, but it can include a wide range of matters such as an individual’s opinion or their preferences. Even an IP address is also considered to be Personal Data.
Our template guides you through setting out and making clear how you do/will handle the Personal Data of any individuals you deal with. It applies to all Personal Data held about your customers and potential customers, suppliers, business contacts and any other individuals who you may deal with in the course of your business. If you have other people working for you, then it will also apply to how you handle the Personal Data of your staff and other workers and to the Personal Data of your shareholders, if you have any.
Essentially, you should have one of these policies in place and ensure you’re operating data-handling compliant practices even from the very earliest stages of starting a business and regardless of what type of business you conduct or how big or small or you are. The data handling rules apply just as strictly to sole traders as they do to directors of limited companies and partners or members in partnerships and limited liability partnerships.
Our experts recommend that you do not give this policy contractual status in any employment or other contract, but that you do reference it in such contracts, making it clear that the worker is expected to comply with the policy, and that you have the right to update or revise it, in your discretion and as you determine necessary.