The Data Protection Act 1998 was replaced by the General Data Protection Regulations on 25 May 2018. GDPR applies to every business that collects, stores and uses personal data relating to customers, staff or other individuals. You should review any existing data protection systems, policies and procedures to take account of the new rules.
Why you need a data protection policy
Failing to follow data protection rules could lead to a substantial fine. Data protection policies will help you comply with the GDPR requirements by setting out clear procedures to be followed both by businesses and by data subjects.
A clear data protection policy makes sure everyone in your company understands why data protection is important. It also describes procedures for collecting, working with and storing data. This has been increasingly important as businesses have adopted more flexible working arrangements and staff are working remotely at least part of the week.
Implementing a data protection policy
Your data protection policy should be a practical document. Your staff should be able to understand it and refer to it when they need data protection advice.
It’s important to review your data protection policy regularly. Most companies do this about every two years. You should also review if your business changes how it operates or plans to start storing data in a new way.
It’s a good idea to require staff to read your data protection policy (and sign a document to that end) when you introduce it. It should also be part of your induction programme for new employees.
However, always remember that a policy alone is not enough to ensure your business keeps its data safe and operates within the law. Training, expert advice and clear lines of responsibility are other important considerations.