If you are a company that is concerned with the processing of personal data, you must know that having a data protection policy is crucial. In this blog post we discuss the scope and intent of a data protection policy. create a suitable and complete data protection policy for your company, it is important to understand that a data protection policy is an internal document that is crucial to your company’s GDPR compliance procedures and differs from the privacy policy. The former handles how an organisation manages its data protection objectives and obligations, whereas the latter’s objective is to inform data subjects about the processing of their personal data. Thus, the former is an internal document, and the latter an external document intended to be published and made easily accessible to all data subjects (for instance, on your company’s public website).
Below are six simple points to bear in mind while formulating and maintaining an adequate data protection policy.
Not everyone is an expert when it comes to data protection, and as a company that processes personal data, it is crucial that all your employees and representatives who handle personal data understand the purpose and intent of the GDPR, and work within its ambit. Therefore, the data protection policy should strive to explain, in as simple terms as possible, how the GDPR affects the employees and also what their responsibilities are. This is one way your organisation can avoid any misuse of data. Reports of supervisory authorities suggest that a maximum of personal data breaches is caused by human error such as emails sent to the wrong recipients1. Having a clear, accessible and updated data protection policy can ensure that liability due to human error is minimised. It is always a good idea to engage internal/ external data protection experts to draft a suitable policy. They can help not only in making the policy simple and straightforward but also ensuring that it implements all GDPR requirements.
It is highly crucial to implement the main principles of the GDPR within the data privacy culture of your organisation. These principles form the very core of the GDPR and everything else flows from and is guided by these principles. Respecting and processing personal data in accordance with those principles thus, should be one of the key features of a data protection policy. Below is a short insight into what these principles entail.
You should always include and describe the aforementioned principles in simple terms and what they mean in practice for your organisation.
Some further aspects to be incorporated in your data protection policy include:
The data protection policy is not a stand-alone document. As stated earlier, it forms part of a set of internal GDPR compliance policies and procedures, crucial amongst which is the security policy of your company. It is therefore important to create a logical link between your data protection policy and the security policy of your organisation, especially organisational security measures such as password protection, access controls, clean desk policy, etc.
You can start with a template data protection policy; but remember that your data protection policy is your own and adapt the template accordingly. The policy should be built according to GDPR, but it should not simply repeat what is already in there. Different organisations deal with different data. You should tailor your policy in accordance with the processing activities that your organisation conducts and should address the needs of your company, while also complying with the relevant data protection laws.
Your data protection policy may need to be revisited in line with changing operations of your company, supervisory authorities’ guidance and industry best practices. So, remember to revisit your policy from time to time. Regular employee training and assessment is crucial to the success of your policy. Do not forget to maintain a record of all training sessions; it could go a long way in ensuring transparency and accountability.
1Autoriteit Persoonsgegevens, Meldplicht datalekken: facts & figures, Overzicht feiten en cijfers 2018, (https://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2019/01/ra...); Infosecurity-magazine, ICO Breach Reports Jump 75% as Human Error Dominates, 4 Sept 2018, (https://www.infosecurity-magazine.com/news/ico-breach-reports-jump-75-hu...)