Many companies struggle to comply with GDPR, but how many of those end up being punished by regulators? The answer is very few. Despite the headline-grabbing fines we read about, the purpose of GDPR is to help you Get your Data Protection Right.During this Get Data Protection Right series we’ve identified nine pillars of data protection that protect you from breaches and move you towards GDPR compliance. This article looks at data protection policies and the ninth pillar: controlling and tracking data access.
The Importance of a Data Protection PolicyPreviously, we highlighted the importance of record-keeping and documentation in GDPR compliance. One of the most important documents you need is a data protection policy. This is required to comply with Article 24 of the GDPR. But why is it so important and how do you go about drafting and implementing it?
First create a blueprint for Your GDPR FrameworkA data protection policy is a security policy that describes the technical and organisational measures your organisation has in place to protect personal data that is processed. In easy-to-understand language it should explain to employees your organisation’s commitment to the GDPR and it’s requirements. It should provide the framework used to implement, monitor and manage data security. It does not need to be extremely detailed. Think of it more as a declaration of the principles of data protection and the organisations intent to achieve them. WThe policy should condense into bite-sized pieces what portions of the GDPR are relevant to your business,
Staff awareness and accountabilityYour data protection policy exists for the benefit of the staff. The policy must, therefore, be understandable to people who are not experts in the GDPR and cybersecurity. It should make it clear to your staff how the GDPR applies to them and how they will be held accountable to it.. It’s also worth noting that employees are happier when their employer takes a strong lead on important issues. Most people want to do things right.
Prove your intent to comply with the GDPRLet’s imagine your company is investigated by GDPR enforcers for whatever reason (as a result of a serious complaint or a data breach, for instance). In addition to your Article 30 Records of Processing Activities, you will be asked to share your data protection policy to prove you have taken data protection seriously. The policy acts as a statement of intent and demonstrates that you have been proactive in making it a priority..
Drafting a Data Protection PolicyIt’s easy to say that a data protection policy is an easy to understand document detailing your organisation’s core data protection practices. But where do you start? As these articles have shown, it’s not easy to distil the GDPR into a staff-friendly document.Luckily, you don’t really need to tackle the daunting task alone. There are many customisable templates available online that do most of this work for you. Most are sufficient for smaller organizations, which often lack the resources to create a policy from scratch, but they can also be used as a starting point for larger organisation.GDPR365 contains a template data protection policy, but even more importantly the software helps an organisation understand what’s important in GDPR and can inform the process of customising the template, so you have a data protection policy that is unique to your organisation. Through your use of GDPR365, you will have defined and documented the technical and organisational measures and procedures you’ve put in place, so the customisation of a data protection template becomes easier.
What to include in a data protection policyThe precise content of a data protection policy will vary from organisation to organisation. But it must include the elements of the GDPR that apply to your business and staff and it must be presented in an easily digestible way.A typical data protection policy might include the following:
- An introduction to GDPR and a statement of the purpose of the policy.
- A List of definitions. The GDPR has specific terminology and your staff need to understand these terms. (e.g. the difference between data controller and data processor).
- The scope of the policy.: Explain that the policy encompaces all the EU residents’ and their personal data as well as all staff members who process that data.
- The principles of GDPR: explains the seven key principles that businesses or associations should abide by.
- Data subject rights: Explain the eight rights: an individual’s right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights relating to automated decision-making and profiling.
- Roles and responsibilities: Explain the the actions, behaviours and practices required from all staff handling personal data. This section helps establish a mindset of accountability.
- Persons responsible: It should include the contact details of the persons in the organisation responsible for data protection. The contact details of a DPO (data protection officer) should appear here if one exists.