Privacy Documentation

Documenting your data processing activities is important for several reasons. First, it is a legal requirement and also you may have to make the information available on request; for example, for an audit or investigation. As a key element of the accountability principle, documenting your data processing activities can also help you to ensure (and demonstrate) your compliance with other aspects of the UK GDPR. 

UK data privacy legislation and regulations, including the Data Protection Act (2018) and UK GDPR, require organisations to maintain several documents to demonstrate compliance. 

These documents serve to ensure transparency, accountability, and the compliant processing of personal data. 

CSRB drafts these very documents for a number of clients as part of our retained Data Protection Officer (DPO) service plans, in addition to one-off project work. Here we explain in further detail the key policies and procedures your organisation requires:

  • Privacy Notice: This important privacy documentation meets the ‘right to be informed’ under UK GDPR and informs individuals why their personal data is collected, processed, shared, and their data subject rights under UK GDPR. It should be clear, concise, drafted in plain and easy to understand English, and easily accessible to all. This document is also known as a GDPR statement or privacy policy and is supplemented by a cookie notice.
  • Privacy Policy: This internal policy outlines the organisation's commitment to data protection, roles and responsibilities, data processing procedures, and security measures. It is also a useful handbook and training aid for internal stakeholders.
    This document is also known as a GDPR policy, or a data protection policy.
  • Data Processing Agreement (DPA): A DPA is a legally binding contract under UK GDPR between a data controller (the organisation determining the purposes and means of processing personal data, often the ‘client’) and a data processor (the organisation processing data on behalf of the controller, often the ‘supplier’).
    The DPA ensures any personal data that is exchanged and processed is done so in compliance with the UK GDPR.
  • Record of Processing Activities: This document details the organisation's data processing activities, including the purposes of processing, categories of data subjects and personal data, recipients of data, and any international data transfers.
  • Subject Access Request Policy: It is vitally important as an organisation to identify any potential subject access requests, verify the identity of the individuals, instigate an appropriate response within the legal timeframes, return the relevant personal data to the data subject/third party acting on behalf of the data subject, and understand when a legal exemption applies that may mean you cannot legally respond to the request. This is a legal requirement of the UK GDPR.
  • Data Breach and Security Incident Policy: It is vitally important as an organisation to identify any potential personal data breaches or security incidents, instigate an appropriate response, inform the relevant parties, put in place the appropriate safeguards and controls, and implement any learning outcomes. This is a legal requirement of the UK GDPR.
  • Cookie Notice: This is a document, read in conjunction with a cookie consent tool, that explains to website visitors how a website uses cookies, which are small text files stored on a user's device. It details what cookies are used, how they are used, what data they collect, and how users can manage or delete cookies. While a privacy policy covers all the ways a website collects, processes, and stores data, a cookie policy focuses specifically on the cookies and tracking technologies used.
  • Data Retention Policy and Schedule: This policy establishes guidelines for how long different types of personal data will be kept and how the data will be securely disposed of when no longer required. The schedule provides specific retention periods for various data categories.

Data Sharing – what do we need to do?

A data sharing agreement between the parties sending and receiving data is a major part of your UK GDPR compliance, especially with regard to the accountability principle. Your organisation might use a different title for a data sharing agreement, for example an information sharing agreement or a data sharing protocol/contract; or a personal information sharing agreement.

Whatever the terminology, it is good practice to have a data sharing agreement in place.

There are many benefits of having a data sharing agreement in place, such as:

  • helping all the parties be clear about their roles;
  • setting out the purpose for the sharing of personal data;
  • detailing what happens to the personal data at each stage; and
  • setting high levels of privacy governance and professional standards.
Smiling young male ceo executive manager giving out financial paperwork

Does CSRB specialise in any other privacy documentation areas?

Yes, of course. As certified practitioners, with clients across the globe, we can assist you with your privacy documentation in the following specialist areas: 

  • Implementation Support: CSRB provides guidance and support for implementing new or revised policies and procedures in your organisation. We do not just leave you with a virtual filing cabinet of policies and procedures, as what use would that be? We have assisted clients with staff training on data protection best practices, the updating of internal systems and processes, and communicating positive changes to stakeholders.

  • Data Protection Officer (DPO) Services: CSRB’s certified, independent, and outsourced DPO service can fulfil this often overlooked internal role’s legal requirements and provide expert advice and guidance on all aspects of data protection compliance, including client, employee, and supplier onboarding.

  • Data Protection Impact Assessments (DPIAs): CSRB are able to advise and guide our clients through the vitally important DPIA procedure, initiated to assess the risks associated with implementing new processing activities into the organisation (e.g. new software system), and ensuring appropriate safeguards are in place to erase, reduce, or accept those risks.
  • International Data Transfers: International data transfers are subject to various policies and procedures, primarily aimed at protecting the privacy and security of personal data. The specific regulations and requirements depend on the jurisdiction and the nature of the data being transferred. Do you know your level of adequacy, to your appropriate safeguard, to your derogation? Do not worry just contact CSRB.

  • Monitoring and Review: CSRB will be able to support monitoring the effectiveness of your policies and procedures, identifying areas for improvement, and ensuring ongoing compliance with data protection regulations. This can include conducting regular audits, reviewing incident reports, and providing feedback to management.

  • Gap Analysis: CSRB can conduct a gap analysis to identify areas where your existing policies and procedures may be lacking or simply need a little bit of updating to meet your data processing requirements today. This helps prioritise areas for improvement and ensures comprehensive data protection measures are put in place.

By leveraging the expertise and experience of an outsourced data protection consultant, like CSRB, organisations can ensure their policies and procedures are comprehensive, up to date, and effective in protecting personal data and complying with current UK and overseas regulations. Investment here also adds so much to the bottom line of any organisation and helps meet strategic growth targets. 

CSRB would love to support you on your data privacy and information governance journey. 

Photo representing Privacy Documentation

Got a question about privacy documentation?

Our MD, Chris, is here to help. 

Contact Chris