Data privacy rules have never been crucial for organisations to follow until the General Data Protection Regulation (GDPR) enforcement. This blog is divided into two sections. The first section will discuss a general overview, definitions and common queries related to a data protection policy. The second section will explain how a business can write and operationalise a data protection policy.
Individual privacy concerns are becoming critical since regulators have more power to enforce non-compliance fines on organisations handling an expanding amount of personal data. Achieving GDPR compliance is now required for businesses operating the personal data of EU/UK residents, but the compliance process is not as simple as it appears.
Organisations must have a documented procedure for determining what personal data they hold, where it came from, and with whom they share it. Procedures supporting data subjects’ rights and the legal basis for personal processing data be identified and discussed with the key people and decision-makers so that they can understand the potential impact and recognise areas that need to be addressed for GDPR data protection.
Moreover, businesses that operate in multiple jurisdictions confront different data privacy and security requirements regarding cross-border data transfers.
So all these requirements need to have some procedural steps and be documented in a single place, and that’s where the provision of data protection policy comes in.
Section 1: General overview of the data protection policy
What is a data protection policy?
A data protection policy is an internal document that forms the foundation of an organisation’s GDPR data protection efforts. It informs employees of the GDPR’s rules, lays down their responsibilities and indicates the organisation’s commitment to compliance.
The data protection policy aims to guarantee that the organisation meets its legal, statutory, and regulatory obligations under applicable data protection laws, as well as to ensure that all personal and sensitive data is processed in a compliant manner respecting the interests of the data subjects.
What should be included in the policy?
The data protection policy does not need to include detailed explanations on how the organisation will meet the data protection principles outlined in the GDPR, as these will be covered in the organisation’s procedures. Instead, a policy should define how the GDPR applies to the organisation.
As an example, consider the principle of data minimisation. The policy will state data minimisation requirements in the company’s data processing activities. Still, the actual process of how data will be minimised shall be documented in its separate procedural document.
In summary, your procedural document should specify how you will ensure data protection by adopting appropriate safeguards. Your policy should state that the organisation will follow these data protection principles and laws.
Data protection policies are not as famous as privacy policies, particularly in the regions where no federal-level privacy legislation is enforced, i.e. the United States. Many company owners mistakenly assume both documents are the same, however, these are two completely different documents with different purposes and sensitivity.
On the other side, the data protection policy is an internal document that establishes business-wide information security policies. This document is made available to all the employees, particularly those involved in handling customers’ personal data, ensuring that everyone in the organisation knows the importance of data protection and security. The policy can also be provided to potential vendors or customers to demonstrate GDPR compliance.
A well-maintained policy can also represent your company’s dedication to privacy and data protection. If a privacy or data protection conflict occurs, you can show your policy to supervisory authorities as proof of your organisation’s commitment to demonstrate compliance.
So in simple terms:
- A data protection policy is an internal document that sets out how your organisation protects personal data. It concerns the employees and potential vendors.
Can you publicly reveal your data protection policy?
Though this policy is an internal document, it can also be made publicly available to practice the GDPR’s principles of transparency and Accountability.
By revealing your data protection policy to the general public, it can incrementally increase the trust of your customers and potential vendors who may want to see your organisation’s information security practices before they hand over their proprietary or confidential data.
Why do you need to write a data protection policy?
If your organisation is processing EU or UK resident’s personal data either in one of the following conditions:
- A business processes personal data as part of the activities of one of its EU/UK-based branches regardless of where the data is processed, or
- A company founded outside the EU/UK that offers goods/services (paid or free) or monitors the behaviour of a natural person in the EU/UK.
Then, it must comply with the GDPR obligations.
To implement the GDPR obligations, you need to set a roadmap in terms of a policy or procedure that helps you achieve the desired objectives. Generally, there are three main objectives for which you need a data protection policy.
1. Laying the basis for an organisation to achieve GDPR compliance.
The Regulation, as written, is just too complex to serve as the foundation for an implementation project. As the Regulation is a comprehensive document that addresses all the possible obligations and data protection requirements, you need to pick what obligation applies to your business and formulate your procedure.
For example, a chapter in the Regulation is dedicated to the cross-border data transfers of EU/ UK residents. If your company does not transfer its customer’s data outside Europe or the UK, you don’t need to add cross-border data transfer clauses in your GDPR implementation project.
So this will break down all the applicable GDPR requirements for your company.
2. Make the GDPR understandable to your employees.
Remember that most employees who handle personal data are not data experts and will not have read the Regulation’s principles to understand why these regulations exist.
A data protection policy is an excellent place to start, outlining how the GDPR applies to them and their obligations in layman’s terms.
3. Demonstrating the organisation’s commitment to data protection.
Finally, the data protection policy demonstrates that the organisation is dedicated to secure personal data processing, respecting data subjects’ rights and preventing data breaches.
Article 24 of the GDPR requires organisations to have a policy to “show that data processing is carried out in conformity with this Regulation.”
When it comes to regulatory inquiries, being able to verify compliance is critical. If a client complains that an organisation has misused their data or has failed to facilitate one or more of its data subject rights, that organisation will be subject to an investigation by its supervisory authority.
A data protection policy would be the first line of evidence examined by the regulator to determine whether the organisation complies with the GDPR. The supervisory authority may then decide whether the organisation is processing personal data on a legal basis and, if not, whether the violation was due to non-compliance with the provisions or by mistake.
The answer will determine what kind of disciplinary action is taken. A one-time error may result in a caution to be more careful in the future, but a catastrophic problem will almost surely result in a hefty fine.
Is it mandatory to have a data protection policy under GDPR or the Data Protection Act?
But, if we closely observe the recitals of these regulations, we can estimate the importance of the data protection policy.
- GDPR Article 24 states: “Taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity to natural persons’ rights and freedoms, the controller shall implement appropriate technical and organisational measures to ensure and demonstrate compliance with this Regulation. The measures referred to shall include the implementation of adequate data protection policies concerning processing operations..”
- Information Commissioner’s Office has proposed that to achieve GDPR’s principle of Accountability, one of the measures is to adopt and implement appropriate data protection policies.
- Data Protection Act 2018 states in chapter 4 of General Obligations:
- Each data controller must put in place suitable technological and organisational safeguards to demonstrate that personal data processing complies with the requirements of DPA18.
- Where suitable regarding the processing, the measures that comply with subsection (a) must include relevant data protection policies.
The Keyword’ data protection policies’ here is meant to have policies and procedures that govern the secure processing of personal data, set standards for achieving compliance with the applicable data protection principles and make all employees aware of the need for personal data protection in their processes.
So, instead of creating several separate documents concerning the above factors, having a single consolidated data protection policy is the most straightforward approach to take. In addition, the policy will provide a road map for achieving data protection compliance.
Section 2: How to draft the data protection policy
To draft this policy, every organisation must identify the scope of the data it processes and align its data processing operations with the applicable law clauses.
For example, any organisation that collects special categories i.e. sensitive information as defined by the GDPR, such as data pertaining to ethnicity, religion, sexual orientation, and so on, should include a specific provision within the data protection policy to address the processing of special categories of data. On the other hand, a business that does not handle such data would not require such a provision.
Having said that, the following are some general provisions that can be applied to most types of businesses.
General provisions of data protection policy
The first provision should explain the policy’s objective and goal and how it will be implemented.
For example, you will clarify that you securely process personal data following GDPR and respect data subjects’ rights.
Furthermore, the provision will ensure that you adhere to data privacy legislation and best practices by reducing the risks of data protection breaches and other violations.
This provision will define the policy’s scope, describing which types of data are processed (For example, data as special categories, biometric data, finance, health, credit card or employee personal data) and which people of the organisation are covered by the policy.
3. Data protection principles
The seven GDPR principles should be addressed in this provision i.e.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
The technical and security measures should also be addressed in the section on integrity and confidentiality. For example:
- use of encryption and pseudonymisation to protect data where suitable.
- ensure the personal data’s confidentiality, (ensuring that data is protected from unauthorised access) integrity, and availability.
- put access controls to limit the disclosure of personal data and defeat unauthorised access.
- create data backups to defeat any data protection breaches or a disaster.
This provision should explain how the organisation is demonstrating compliance with these data protection principles. Your employees must understand these principles to which they will be held when it comes to customer data.
4. Lawful basis of data processing
To be considered lawful under the GDPR, data processing must come under one of six legal basis.:
- Data subject consents: The data subject has given you explicit permission to process their personal data for a specific purpose.
- Contractual obligation: the processing is required for a contract you have with the individual or to fulfil pre-contract obligations.
- Legal obligation: the processing is required for you to comply with the law.
- Vital interests: the processing is required to save a person’s life.
- Public task: the processing is required for you to undertake a task in the public interest or to carry out your official obligations, and the task or function has a clear legal basis.
- Legitimate interests: the processing is required for your or a third party’s legitimate purposes. whereas these legitimate interests do not override the rights of the data subjects.
This provision in your data protection policy must address on which lawful basis your data processing activity relies. This section would also address on which lawful basis the data subject has the right to opt-out for the processing.
If your organisation collects personal information on several different legal basis, it may be vital to clarify how each condition applies to your processing.
This provision discusses the data protection responsibilities of the organisation’s various employees and departments. The provision especially helps employees understand the importance of data security and how their responsibilities affect the organisation.
This provision should be devised in a clear format so that each employee and department, namely line managers, data protection officers, third-party processors, contractors, and regular and voluntary staff be aware of its responsibilities in terms of data protection law.
6. Data subject rights and access request
The rights of data subjects should be explained in this provision. GDPR has provided the following rights to its data subjects:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights about automated decision making and profiling.
Other than these rights, this provision should also address how individuals can make data subject access requests, in what conditions they can withdraw their consent and how to complain to the supervisory authority.
You may also need to address how the organisation will respond to data subject requests, who will fulfil those requests and under what conditions. This clarifies which requests are permissible and how to handle such requests when they arise.
7. Personal data breach notification
Data breach notification is one of the most critical aspects of the data protection policy. Everyone in your organisation should know what to do during a data breach.
This provision should clearly explain procedures to deal with any suspected personal data breach and in what conditions the organisation will notify the supervisory authority and data subjects.
For example, if encryption is enabled the notification to the data subjects are not required.
The reporting time of the breach notification and the contact information on which the employees should report the suspected data breach should also be mentioned.
8. Records management
According to the GDPR, records management is essential as organisations must keep complete and accurate records of all data processing activity.
These records should include, at a minimum, the organisation’s name and contact details as a data controller and the data protection officer, descriptions of the personal data identifiers, data subject types, data processing activities, purpose limitation, third-party processors of the personal data, personal data storage locations, personal data transfers, personal data retention period, and a description of on which basis the data is being retained.
9. Data Sharing
This is one of the most important provisions that should be thoroughly explained. You must explain how this provision will share data internally and externally. What conditions allow data sharing, and what security measures are needed before and after data sharing.
This should also specify who has to be consulted before sharing data, whether internally or outside, and if there is an obligation to share special categories of data.
Cross border data sharing
The GDPR restricts the transfer of personal data outside the EEA/UK unless data subject rights and freedoms about personal data are secured in another way, as laid forth in GDPR Article 46, such as through the adoption of standard contractual clauses.
You need to clarify if you transfer personal data and what GDPR data protection tools you adopt to ensure compliance.
10. Privacy by design and default
Privacy by design and default is a data protection approach that addresses data protection from the start of a project and continues to be considered throughout the design process.
This provision should address the above principle in detail if your organisation designs or maintains large-scale data-processing initiatives.
For example, before launching a large-scale data processing project, it should be subjected to a data protection impact assessment (DPIA).
Discuss your concerns today
11. Contractual requirements of third parties
The applicable contractual obligations should be mentioned in this provision. These obligations could be like:
- The third parties provide sufficient guarantees about how they will treat and protect the data.
- Third parties who process personal data ensure that their employees have undergone sufficient training.
- Third-party assuring that they have appropriate technical and security measures.
- Third parties erase personal data once the aim of the process has been met.
12. Direct marketing
This provision requires the organisation to list any applicable privacy regulations for its direct marketing to its employees and customers.
This provision should also indicate how the individual can provide and withdraw consent for electronic direct marketing and how long their response should be kept to ensure that marketing preferences are respected in the future.
13. Training and Audits
This provision should guarantee that all the employees will receive training to comply with data privacy legislation. Organisations should also create a process to regularly test their systems and procedures to ensure compliance.
14. Contact details
Employees must know who to contact if they have any questions or concerns about the GDPR data protection policy. Include a section with the necessary contact details. This could be a data protection officer or another point of contact for privacy issues.
Usually, telephone numbers and email addresses are provided to make it easier to contact the relevant person.
15. Policy review
This provision should reserve the right to amend the policy at any moment. This will necessitate that all the concerned individuals should receive the most recent copy.
This provision should also state who approved the policy, for example, the information management committee and who will regularly review the policy with the applicable changes. It should also specify when the policy will be revised.
16. Glossary of terms
A glossary section clarifying the various terms used throughout the policy may be necessary to address any ambiguities among employees.
The glossary part should be defined in simple language that non-technical staff may comprehend, and it should be consistent with the business’s data processing practices. This will help to ensure that all employees understand the data protection policy’s requirements.
In general, numerous common terminologies must be included in the data protection policy, including but not limited to:
- Personal data
- Processing or Process
- Data controller
- Data processor
- Data protection officer
- Data subject
- Automated decisions or profiling
- Data protection impact assessments
- Personal data breach
- Privacy notice
How to operationalise the data protection policy?
As a general rule, having a written policy is useless if it is not applied and embedded in the company’s commitment. For example, it is pointless to say that data transfers will be encrypted if you don’t have a plan or the resources to do it.
The data protection policy should be addressed in the same way other organisations’ policies are treated.
It should be introduced to employees and make them obliged to follow it. For example, make it a must-read by including it as part of your employee handbook.
For ease of reference, and depending on the length of the policy, it may be good to give staff a summary of the important principles or practices that they should follow.
While introducing the policy, ensure that all employees receive policy training appropriate to their specific jobs and ways of functioning. As part of the initiation process, make sure to familiarise new members of staff with the policies and practices.
Discuss your concerns today
If your company chooses that the policy will govern external contractors and suppliers, you should give them a copy and include an appropriate contract clause.
Since the GDPR took effect, every business operating in the EU/UK regions has made extraordinary efforts to comply with the Regulation. As the GDPR is a comprehensive regulation, it needs a detailed analysis of each activity of handling personal data. The more you read the law, the more complex it becomes because it applies to every possible case of personal data processing. So a better approach is to select your scope of data processing, jot down the relevant principles, then transform them into processes that are relatively easy to implement across the board.
To achieve this purpose drafting a data protection policy is the best solution.
Get in touch to schedule a chat and discuss your security and privacy concerns.