The introduction of the GDPR (General Data Protection Regulation) has meant that organisations across Europe must be a lot more rigorous about the way they handle people’s personal data.
One of the most important steps is to create a data protection policy to make sure employees know exactly what they should and shouldn’t do when processing or storing sensitive information.
What a data protection policy covers
A data protection policy explains the GDPR’s requirements to employees in simple terms, and puts in writing the organisation’s commitment to regulatory compliance.
This achieves three things. First, it breaks the Regulation’s requirements into manageable chunks that you can use as the basis for your compliance activities. Working out how and if each requirement applies is the best way of establishing a framework to achieve compliance.
Doing this also makes it easier for staff to understand how the Regulation affects them. You don’t need to discuss what they need to do to remain compliant, as this will be covered in your procedures, but you do need to broadly outline what is expected of them.
The third objective of a data protection policy is to demonstrate that your organisation is aware of its requirements and is committed to meeting them – something that’s especially useful if you’re being audited or investigated by a supervisory authority.
This is because a policy will be the first piece of evidence the regulator looks for to see whether your organisation takes the GDPR seriously.
From there, they’ll determine whether you met your regulatory requirements and, if not, whether the violation was due to a mistake where processes weren’t followed or a widespread neglect of the Regulation’s requirements.
The answer will determine what disciplinary action is levied. A one-time mistake might be met with a slap on the wrist and a reminder to be more thorough in the future, but a systemic failure will almost certainly lead to a significant fine.
What your data protection policy should include
There are no set requirements for how much information you include in your data protection policy. However, we recommend that you cover:
- The purpose of the policy: This can serve as your introduction, explaining how the policy relates to the GDPR and why it’s necessary to achieve compliance.
- Definition of key terms: Most people who read your policy won’t be familiar with the GDPR’s terminology, so you should include concise definitions of important terms, like ‘data controller’, ’data processor’ and ‘data subject’.
- Scope: The GDPR applies to EU residents’ personal data and anyone in your organisation who processes that information.
- Principles: The GDPR contains six principles for data processing, and a sort-of seventh principle, accountability, which is addressed slightly differently. You should explain what these principles are and state that you will be taking measures to uphold them.
- Data subject rights: The GDPR endows individuals with eight data subject rights. You should define them and state that you are committed to meeting them.
- DPO (data protection officer): You should provide the name and contact details of your DPO. If you’ve chosen not to appoint one (some organisations are exempt from this requirement), you should list the senior member of staff responsible for data protection.
Try our GDPR data protection policy template
Writing a data protection policy can be risky: missing a requirement or failing to explain something properly puts you in jeopardy of breaching the GDPR and facing disciplinary action.
You can avoid that possibility by using our GDPR Data Protection Policy Template.
Designed by our expert information security practitioners, this document provides a quick, simple-to-follow guide to creating a GDPR-compliant data protection policy. All you need to do is fill in the blanks with your organisation’s details.