The GDPR (General Data Protection Regulation) isn’t just about implementing technological and organisational measures to protect the information you store.
You also need to demonstrate your compliance, which is why data security policies are essential.
These documents form part of organisations’ broader commitment to accountability, outlined in Article 5(2) of the GDPR.
In this blog, we explain what a GDPR data protection policy is and explain how you can accelerate your implementation project.
What is a data protection policy?
A data protection policy is an internal document that serves as the core of an organisation’s GDPR compliance practices.
It explains the GDPR’s requirements to employees, and states the organisation’s commitment to compliance.
The data protection policy doesn’t need to provide specific details on how the organisation will meet the Regulation’s data protection principles, as these will be covered in the organisation’s procedures.
Instead, a policy only needs to outline how the GDPR relates to the organisation. Take data minimisation as an example.
Whereas your procedures should state exactly how you will ensure this principle will be met (for example, you might require that any prospective data collection activities be accompanied by a document explaining why processing is necessary), your policy need only state that the organisation will address that principle.
Why do you need a GDPR data protection policy?
Data protection policies serve three goals. First, they provide the groundwork from which an organisation can achieve GDPR compliance.
The Regulation as it’s written is too complex to be used as a basis for an implementation project. Imagine starting on page one and planning your compliance practices as you go; it would be a mess.
Instead, you should use the policy as a cheat sheet, breaking the GDPR’s requirements into manageable chunks that apply to your organisation.
That brings us to the second goal: to make the GDPR understandable to your staff. Remember, most employees who handle personal data aren’t data experts and won’t have pored over the Regulation’s principles to understand why these rules are in place.
A data protection policy is the ideal place to address that, explaining in simple terms how the GDPR applies to them and what their obligations are.
Finally, data protection policies prove that organisations are committed to preventing data protection breaches.
Article 24 of the GDPR specifies that organisations create a policy in order to “demonstrate that [data] processing is performed in accordance with this Regulation”.
Being able to demonstrate compliance is essential when it comes to regulatory investigations.
If a customer complains that an organisation has misused their data or hasn’t facilitated one or more of their rights as a data subject, the organisation will be subject to an investigation from their supervisory authority.
A data protection policy will be the first piece of evidence the regulator looks for to see whether the organisation takes the GDPR seriously.
From there, the supervisory authority may determine whether the organisation processes personal data lawfully, and if it didn’t, whether the violation was due to a mistake or widespread neglect of the Regulation’s requirements.
The answer to this will determine what disciplinary action is levied. A one-time mistake might be met with a slap on the wrist and a reminder to be more thorough in the future, but a systemic failure will almost certainly lead to a significant fine.
What your data protection policy should include
You can include as much or as little information in your GDPR data protection policy as you like, but we recommend that you cover:
1) The purpose of the policy: This can serve as your introduction, explaining the policy’s relation to the GDPR, the importance of compliance and why the policy is necessary.
2) Definition of key terms: The GDPR is full of data protection terminology that you will need to explain.
This section should include notoriously tricky terms like ‘data controller’ and ‘ data processor’, but you might also want to clarify things like ‘data subject’, which aren’t as clear-cut as you might think.
3) Scope: The GDPR’s requirements apply to EU residents’ personal information and anyone in your organisation who processes that data.
You must also define what types of information the GDPR applies to. Part of the reason for doing this is that the Regulation distinguishes ‘special categories of personal data’, which are subject to extra protection.
4) Principles: Explain the GDPR’s six principles for data processing, as well as accountability (which is also a principle but addressed slightly differently). You should also briefly note your commitment to meeting these principles.
5) Data subject rights: The GDPR endows individuals with eight data subject rights. You should define them and state that will ensure that they are met.
6) DPO (data protection officer): You should provide the name and contact details of your DPO. If you’ve chosen not to appoint one (some organisations are exempt from this requirement), you should list the senior member of staff responsible for data protection.
Want to a quick and easy GDPR policy template?
Putting all the necessary information into a policy from scratch is a tough task, which is why some organisations simply adapt their existing data protection policy to include GDPR-specific elements.
We don’t recommend this approach, because you can easily overlook essential requirements. However, we understand the desire for help, which is why we offer a GDPR Data Protection Policy Template.
With this document, designed by our expert information security practitioners, you can create a GDPR-compliant data protection policy in minutes.
A version of this blog was originally published on 6 February 2018.