Data Protection Policy
Ooh, suits you, sir!

Ooh, suits you, sir! Suits you, madam!

But rarely if you’ve settled on a template for your data protection policy…

Off the peg or made to measure?

Short-term make-do or long-term investment?

Simple and generic or detailed and specific?

Most of us love a bargain, especially when it’s just what we were after. But how often does that happen?

What happens when it’s not quite right and turns out to be too good to be true; when it’s a compromise that ends up being costly?

How often have you heard of someone buying something that, at first, seemed reasonably priced, only to then spend more time and money fixing everything that wasn’t quite right – just to get it how they originally wanted all along?

Sounds familiar? Then how about this…

When GDPR kicked in May, how many people thought ‘Right, I really ought to think about this data protection stuff’ and then did the bare minimum… like downloading a template under the guise of making everything look official.

When, in fact, it amounted to nothing more than lip service. A quick fix. Box ticked. Job done.

And not fit for purpose at all.

If that’s a bit too close to home, here’s why it’s worth a rethink…

Generic template or detailed policy?

First off, a template is okay if it covers exactly what you need or only requires minimal tweaking to accurately reflect things.

The problem arises though when what it says on the tin is exactly nothing like what you’re using it for. And that’s when you realise that your data protection/ privacy policy is, at best, slightly misleading and, at worst, doesn’t reflect what you do at all.

It’s an easy mistake to make, particularly if you haven’t taken the time to fully think everything through.

For example, it may be that in running your business, you also record calls, use CCTV, or engage in inbound or outbound marketing. And yet, none of these activities feature in your average template, even though you may have plumped for it anyway.

What about your legal basis/bases for data processing? Is yours accurate or have you automatically defaulted to using ‘consent’ to justify it?

Remember, what may seem like a quick win now can result in hidden financial or time costs in the future – either by having to put things right or being fined for non-compliance.

After all, it is people’s personal information you’re dealing with and they want to know that you’re not only taking your responsibilities seriously, but treating their data carefully. Respectfully, even.

Demonstrate a great data protection policy and you’ll build credibility and trust, show accountability and reassure people that you’ve invested quality time getting things right.

 

Tips on how to get your policy right

As cropped up in the previous blog (in which yours truly did an interview Q & A session), having a really clear idea of the whys, whats, whens and hows surrounding your data is key.

So here are a few pointers to consider:

  • Proper data mapping  It’s said that knowledge is power and never has this been truer than when it comes to knowing your own data protection set-up inside out. Spend some time meticulously mapping your data and you won’t go far wrong knowing exactly what you should include.

 

  • Make sure everyone’s on board In a nutshell, the more people in your business that understand the importance of data protection, the more committed and accountable they’ll feel, and the more likely you are to get it right.

 

  • Regular and timely reviews Make regular reviews a habit so that you can update your policy as soon as anything changes in the business and which is likely to affect your data practices. Otherwise, every 6 months is good and annually is the minimum.

 

  • Know your responsibilities and your customers’ rights It’s a given that you should be well-versed in what’s expected of you. But make sure too that you know where your customers stand – especially with regard to subject access requests and right to erasure.

 

  • It’s better late than never Okay, this one’s a little tongue in cheek, albeit not completely unheard of. If you happen to be a late adopter (i.e. still haven’t done anything yet), it really is never too late to start.

 

Makes sense? Even if you’re only following a few of these steps, you’ll now be in a better position to ensure that your policy is more representative of your data protection approach – which has got to be better than relying on a template that’s been written by Mr V McVague from Vague-on-Thames…

 

Need a hand doing things properly?

If something’s worth doing, it’s worth doing right. Especially when it comes to GDPR and data protection (and you can always find lots of useful information on the ICO website.)

Closer to home, just take a look at our Databasix privacy policy – even though we’ve jazzed it up, it still may not be the most riveting of reads but it sure as hell tells you exactly how much we respect your data and what we do with it.

And that’s why we can help you review yours and make sure your data protection and/or privacy policy matches your needs. If that sounds like a worthwhile investment, get in touch!

Incidentally, did we mention that the company next door has just had an office refit? Got a great deal too. To save money, they decided against the bespoke service and bought straight from the catalogue. Happy days!

…Except that they now have 4 workstations so big you have to climb over them to get in or out. Oh well, at least the oversized chairs are comfortable.