The GDPR (General Data Protection Regulation) goes beyond implementing technical and organizational measures to protect the information we store. Data security policies are also essential as compliance must be demonstrated.
These documents form part of the organization’s broader commitment to accountability, Article 5(2) of the GDPR.
This blog explains what the GDPR Data Protection Policy is and how to accelerate your implementation project.
What is the data protection policy?
A data protection policy is an internal document that serves as the core of an organization’s GDPR compliance practices. It explains GDPR requirements to employees and demonstrates the organization’s commitment to compliance.
A data protection policy need not provide specific details on how an organization meets the data protection principles of the Regulation.
Instead, the policy should simply outline how GDPR relates to your organization. Take data minimization as an example.
Procedures should state exactly how to ensure that this principle is met, while policies should only state how the organization addresses it.
Why you need a GDPR data protection policy
Data protection policies serve three goals. First, it provides a foundation for your organization to achieve GDPR compliance.
The rules as written are too complex to be used as a basis for implementation projects. Imagine planning your compliance practices starting from the first page. It would be confusing.
Instead, policies should be used as a cheat sheet, breaking the GDPR requirements into manageable chunks that apply to your organization.
This brings us to our second goal of making GDPR understandable to our staff. Remember that most employees who work with personal data are not data experts and have not delved into the principles of regulation.
Our data protection policy is the ideal place to address it by explaining in simple terms how the GDPR applies to you and what your obligations are.
Finally, a data protection policy proves that an organization is committed to preventing data protection breaches.
Article 24 GDPR specifies that the organization creates the policy to “prove it”. Processing is performed according to this rule. When it comes to regulatory investigations, being able to demonstrate compliance is essential.
If a customer complains that an organization misuses data or violates the rights of data subjects, the organization will be subject to investigation by supervisory authorities.
A data protection policy is the first evidence regulators look for to see if an organization is taking the GDPR seriously.
From there, supervisory authorities can determine whether an organization is lawfully processing personal data. If not, is the violation due to mistake or broad disregard for the requirements of the rule?
Your answer will determine what disciplinary action will be taken. A one-time mistake can slap you on the wrist and prompt you to be more thorough in the future. By contrast, a serious error or system failure will almost certainly result in a large fine.
What should be included in your data protection policy
You can include as much information as you like in your GDPR data protection policy, but we recommend including the following information:
1) The purpose of the policy;: This serves as an introduction to how the policy relates to the GDPR and the importance of compliance.
2) Definition of key terms: There are a lot of data protection terms in the GDPR that need explanation.
This section should include notoriously tricky terms like “data controller” and “data processor”, but could also clarify things like “data subject”.
3) Range: GDPR requirements apply to the personal information of EU residents and to everyone in your organization that processes that data.
You also need to define the types of information to which the GDPR applies. We do this in part because the Regulation distinguishes between “special categories of personal data” that are subject to special protection.
4) Principle: explain GDPR’s six principles of data processing, and accountability (also a principle, but treated a little differently). You should also make a brief note of your commitment to adhere to these principles.
5) Data subject rights: The GDPR grants individuals eight data subject rights. We need to define them and ensure they are met.
6) DPO (Data Protection Officer): You must provide the DPO’s name and contact details. If not designated (some organizations are exempt from this requirement), senior staff responsible for data protection must be listed.
Need a quick and easy GDPR policy template?
Putting all the necessary information into a policy is a difficult task. As such, some organizations simply adapt their existing data protection policies to include GDPR-specific elements.
We do not recommend this approach as it is easy to overlook important requirements.
But we understand that you want help. That’s why we provide data protection checklists and templates.
Created by our information security experts, our documents help you create GDPR-compliant data protection policies in minutes.
