All of this makes it fair to argue that the purpose of policy is to regulate privacy programs by establishing the foundations on which they actually run. Therefore, the policy should adequately define what is protected, determine roles and responsibilities, and adequately describe the principles, rights and obligations of data protection.
As you can see, it is of fundamental importance to design a policy that covers relevant privacy and data protection aspects. However, it should be remembered that the term “policy” refers not only to a set of documented principles, but also to the actionable items and the actual implementation of the principles. Therefore, privacy policies need to be sensibly communicated among various functional groups (CEO, HR, DevOps, IT, etc.) for policy implementation. Various groups should have a basic understanding of the importance of privacy and data protection in order to support independent initiatives and projects that contribute to privacy programs. In doing so, we can develop supportive policies that provide practical guidance on potential issues and specific intentions. For example, an information security policy (and accompanying procedures, protocols, and guidelines) can be put in place. This policy also protects data, but it serves different purposes, uses different tools, and involves different sources.