An integral part of your EU General Data Protection Regulation (GDPR) project is producing appropriate documentation to demonstrate your compliance. As part of this, organisations will need to produce a data protection policy.
To help you prepare for the fast-approaching compliance deadline (25 May 2018), we have outlined what the data protection policy is, what you should be looking to include and what tools can help your organisation produce this essential piece of documentation.
What is a data protection policy?
Under Article 24 of the GDPR, the Regulation states that “[w]here proportionate in relation to processing activities, […] measures […] shall include the implementation of appropriate data protection policies by the controller.”
Policies differ from procedures, as they are high-level documents that set principles, rather than details of how, what and when things should be done.
- Be capable of implementation and enforceable;
- Be concise and easy to understand; and
- Balance protection with productivity.
The data protection policy should specifically include the following key elements:
- Topics covered by the policy;
- Reasons why the policy is needed;
- Contacts and responsibilities;
- Objectives; and
- How to handle violations.
For example, your data protection policy may include instructions for staff involved in collecting client data, specifying that they only collect the minimal amount required.
Help for creating a data protection policy template
Knowing where to start when compiling your data protection policy can be difficult, especially in large or organisations with many objectives, contacts and responsibilities.
The EU GDPR Documentation Toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. The toolkit includes:
- A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure compliance with the GDPR;
- Helpful dashboards and project tools to ensure complete coverage of the GDPR;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the GDPR Staff Awareness E-learning Course.