Below are six simple points to bear in mind while formulating and maintaining an adequate data protection policy.
1. Make GDPR simple and accessible for your employees
Not everyone is an expert when it comes to data protection, and as a company that processes personal data, it is crucial that all your employees and representatives who handle personal data understand the purpose and intent of the GDPR, and work within its ambit. Therefore, the data protection policy should strive to explain, in as simple terms as possible, how the GDPR affects the employees and also what their responsibilities are. This is one way your organisation can avoid any misuse of data. Reports of supervisory authorities suggest that a maximum of personal data breaches is caused by human error such as emails sent to the wrong recipients1. Having a clear, accessible and updated data protection policy can ensure that liability due to human error is minimised. It is always a good idea to engage internal/ external data protection experts to draft a suitable policy. They can help not only in making the policy simple and straightforward but also ensuring that it implements all GDPR requirements.
2. Incorporate all the principles of the GDPR
It is highly crucial to implement the main principles of the GDPR within the data privacy culture of your organisation. These principles form the very core of the GDPR and everything else flows from and is guided by these principles. Respecting and processing personal data in accordance with those principles thus, should be one of the key features of a data protection policy. Below is a short insight into what these principles entail.
- Lawfulness, fairness and transparency: Personal data is processed in a lawful, fair and transparent manner, and all stakeholders are adequately informed of your data processing operations.
- Purpose limitation: The purpose for each data processing activity is lawful, specific (not broad/vague), and legitimate, and personal data is used only for the purpose for which it was collected. Additional use may be permitted if it is intrinsically related to the original purpose and fits within the reasonable expectations of the data subjects.
- Data minimisation: You should ensure that your organisation will only collect and store personal data adequate, relevant and limited to what is necessary for a certain purpose.
- Accuracy: Personal data is always valid, accurate and up to date, and all steps are taken to sure the accuracy of the personal data at all times, including granting access to data subjects.
- Storage limitation: This principle mandates that personal data is not stored in an identifiable form longer than is necessary to fulfil the purpose for which it was obtained.
- Integrity and confidentiality: Personal data is processed using proper security controls, protecting it against unwarranted or unlawful processing, accidental loss, destruction or damage.
- Accountability: As a company you must adhere to the principle of accountability, according to which you should be able to demonstrate compliance with the rest of the principles listed above.
You should always include and describe the aforementioned principles in simple terms and what they mean in practice for your organisation.
3. Other aspects of your data protection policy
Some further aspects to be incorporated in your data protection policy include:
- The objective of the data protection policy: This part of the policy will help your employees understand the relationship between your company, its activities and the GDPR, why it is important that your practices conform with the GDPR, and why it is crucial to have a data protection policy.
- Interpretation of key terms: As mentioned before, privacy and data protection can be complex for people without the necessary knowledge. Therefore, it is important that you clarify and define the terminology to avoid mistakes and misunderstandings.
- Legal basis: Explain the concept of legal basis for processing personal data and the six defined legal bases under the GDPR, while explaining that all personal data processing must have an appropriate legal basis.
- The data subject’s rights: GDPR provides rights for the data subjects. You must describe them and also add how your organisation makes sure these rights are met.
- Breach: Ideally there should be a separate policy to address personal data breach, but it should be linked to the data protection policy. The breach policy should discuss how employees who are aware of, or reasonably anticipate a personal data breach must act. It should also encourage reporting breaches (including human errors without fear of retaliation). Urgency of taking preventive measures must be emphasised and a clear internal reporting process described.
- Contact details of your DPO (Data Protection Officer): include the name and contact details of your DPO or any other person responsible for compliance with your company’s privacy obligations in the absence of a DPO.
4. Connect your data protection policy with your security policy
The data protection policy is not a stand-alone document. As stated earlier, it forms part of a set of internal GDPR compliance policies and procedures, crucial amongst which is the security policy of your company. It is therefore important to create a logical link between your data protection policy and the security policy of your organisation, especially organisational security measures such as password protection, access controls, clean desk policy, etc.
5. Make the policy your own
You can start with a template data protection policy; but remember that your data protection policy is your own and adapt the template accordingly. The policy should be built according to GDPR, but it should not simply repeat what is already in there. Different organisations deal with different data. You should tailor your policy in accordance with the processing activities that your organisation conducts and should address the needs of your company, while also complying with the relevant data protection laws.
6. Revise, Update, Train
Your data protection policy may need to be revisited in line with changing operations of your company, supervisory authorities’ guidance and industry best practices. So, remember to revisit your policy from time to time. Regular employee training and assessment is crucial to the success of your policy. Do not forget to maintain a record of all training sessions; it could go a long way in ensuring transparency and accountability.
1Autoriteit Persoonsgegevens, Meldplicht datalekken: facts & figures, Overzicht feiten en cijfers 2018, (https://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2019/01/ra...); Infosecurity-magazine, ICO Breach Reports Jump 75% as Human Error Dominates, 4 Sept 2018, (https://www.infosecurity-magazine.com/news/ico-breach-reports-jump-75-hu...)