We often find that terminology around data protection can be confusing for clients. Let’s face it, having “Privacy Policies”, “Data Protection Policies” and “Privacy Notices” all fulfilling different objectives is confusing! So here is our view on what these key terms (and a couple of others) mean.
- The Data Protection Policy is the overarching statement of principle from an organisation documenting its commitment to data protection compliance, including specifying roles and responsibilities for data protection compliance within the organisation, policies and procedures relevant to data protection and a commitment to training.
- The Privacy Notice is the full explanation to data subjects of how and why their personal data will be used. It also informs data subjects of their rights. The content of this document is specified in GDPR and meets the subject right to transparency.
- The Data Controller is the organisation or person that makes decisions about what data should be obtained and processed and the purposes for which it is processed. In the case of business data it is the business that is the controller rather than a specific individual in the business.
- The Data Protection Officer is the individual in the organisation with designated authority in respect of data protection issues it is a statutory role with duties and obligations set out in GDPR.
Mandy P Webster
Data Protection Consulting, simplifying data protection and easing the burden of compliance for its clients for 22 years.