11 February 2020
In the first eight months of the EU General Data Protection Regulation (GDPR), 59,000 data breaches were reported. Initially, this sounds somewhat worrying. Are data protection standards falling short? Are there some serious flaws in the data security infrastructure? Have cybercriminals suddenly got a lot more sophisticated?
These concerns may be well-founded. But there could be another reason for this large number of breach reports.
Organizations have used the GDPR as an opportunity to look carefully at their data protection practices. They've put policies and systems in place that have helped them identify and respond to threats. They've become more aware, and more accountable. More breaches are actually being noticed and thus reported.
A crucial step in making this change in your organization is to have a Data Protection Policy. This policy sets out the expectations on your staff and details the methods you employ to process personal data securely.
A Data Protection Policy sets out your organization's approach to complying with your obligations under data protection law. It explains things like:
A Data Protection Policy is a way for you to ensure that everyone working for your organization is on the same page when it comes to complying with laws such as the GDPR. Once the policy is written, you can ask your organization's staff and contractors to read it carefully and agree to abide by it.
Producing a Data Protection Policy is also an essential way to demonstrate to your Data Protection Authority that your organization is doing everything necessary to keep personal data safe.
This policy is addressed to EBV Elektronik's customers referred to as "data subjects" or the individuals whose personal data is being processed.
Contrast this with the introduction to Pulso's Data Protection Policy:
This is the more common use of the term "Data Protection Policy," and it's the type of document we'll looking at in this article.
Although this is an internally-facing document, there is no reason you can't make your Data Protection Policy available to the public. We're going to be looking at some examples of Data Protection Policies from companies who have done just that. Making your policies public can reassure your customers that your organization takes its responsibilities seriously.
The need for a Data Protection Policy can be interpreted from Article 24 of the GDPR:
This part of the GDPR requires that "data controllers" (anyone who decides how and why personal data is processed) take the necessary measures to demonstrate compliance with the GDPR. Where "proportionate," they should also produce a policy in relation to these measures.
When considering whether this would be a proportionate measure for your organization, consider:
If you answer "yes" to any of these questions, then it's important that you have a Data Protection Policy in place.
However, even if you answer "no" to the questions above, it's worth considering adopting such a policy. It's essential that your organization can demonstrate that it has thought carefully about how it processes and protects personal data.
A Data Protection Policy is the best way to present this information. It also means you are less likely to experience any data protection related problems. Staff within your organization will have a clear notion of the GDPR's importance for their day-to-day activities. So, if you do suffer any security issues, you'll be better placed to contain them.
Having a Data Protection Policy in place will mean that you are able to show your Data Protection Authority that you have been proactive in trying to meet your obligations under the law. This is one of the factors that can be taken into account when determining whether a organization should receive a penalty following a data breach.
The GDPR applies to your organization so long as it does one of the following two things in respect to people in the EU:
This is irrespective of whether you have any base in the EU. This applies even if none of your staff have set foot in an EU country. If you meet the conditions above, you still need to abide by the GDPR, like any European organization would, whenever you're processing the personal data of people in the EU.
The contents of your Data Protection Policy will vary depending on the size, industry and activities of your organization. Let's look at some of the sections that frequently show up in a Data Protection Policy.
A brief introduction should give the name of your organization and explain the purpose of your Data Protection Policy.
Here's an example from Adviza, which calls its introduction its "purpose" section:
Adviza does a good job of explaining the legal, ethical and practical reasons that it has introduced a Data Protection Policy, including to comply with laws, protect data subject rights, protect themselves from the risks of a data breach, follow good practices and be open and transparent.
Terms like "personal data," "data controller" and "data subject" are not easily understood to those with no experience with data protection law. If you're going to use terms like this (and to some extent this is unavoidable), you should include a section in your Data Protection Policy which defines them.
Here's an excerpt from the "definitions" section of the National Portrait Gallery's Data Protection Policy:
Setting out the scope of your Data Protection Policy makes it clear what activities the policy applies to and who is expected to read the document and comply with it.
Here's an example from the University of Nottingham:
The clause states that the policy applies to all personal data processed regardless of where the data is stored and regardless of who the data subject is. It notes who is responsible for ensuring compliance and who is responsible for overseeing the policy. It also includes contact information for the Data Protection Officer.
The GDPR provides a set of principles by which all processing of personal data must take place. Your organization should try to embed these principles within the culture of your data processing activity.
Sometimes a Data Protection Policy will first list the GDPR's principles and then set out how these apply to the organization.
Here's an example from the Local Government Association. First, it lists the principles of the GDPR (or rather, its UK variant the Data Protection Act 2018), with little deviation from the original text:
Then, the policy relates this to the overall principles of the organization, disclosing what LGA will do to uphold the principles:
You should ensure you give details of the "chain of command" when it comes to enforcing your Data Protection Policy within your organization. For smaller organizations, you may be able to cover this in your "scope" section.
Sometimes a Data Protection Policy will set out who is accountable for oversight of data processing within an organization.
Here's how Ajenta does this:
And here's an excerpt from the relevant section of Just IT's Data Protection Policy, which presents a somewhat more complex hierarchy of responsibility:
The GDPR provides "data subjects" (individuals) with 8 user rights that allow them to access and exert control over their personal data. If you're storing an individual's personal data, you're required to help that individual exercise their data subject rights.
A Data Protection Policy is a good way to explain to your staff what they should do in the event that an individual makes a request regarding their personal data.
For example, here's how the University of Edinburgh suggests staff respond if they received a subject access request:
This gives a lot of leeway to staff as they can decide on their own if they respond to a request for information.
Other organizations take a different approach. Here's the relevant section of Uppingham College's Data Protection Policy (see page 8):
Note how this organization maintains far more control over the process by having one party (the DPO) deal with addressing subject access requests.
Whatever your own process is, disclose it and make sure your users know how to exercise their rights.
It's crucial that your organization has a process in place for reporting and containing data breaches as soon as they are detected.
Many organizations have a separate Data Breach Notification Policy. If this applies to you, make sure you incorporate this into your main Data Protection Policy.
Here's how the Scottish Funding Council does this. A link to the "Data Breach Procedure" is provided in the "Staff Responsibilities" section (on page 6):
Here's another approach by North Ayrshire Council. Its Data Protection Policy contains a section on managing data breaches (at page 13). This contains a brief explanation of what staff should do in the event that they become aware of a data breach, and it also links to the full policy.
The GDPR imposes strict rules on the transferring of personal data to countries outside of the EU. Transferring personal data to "third country" without adequate safeguards in place could be considered a data breach, so it's important that staff within your organization understand the importance of these rules.
Here's an excerpt from the relevant section of Capture's Data Protection Policy:
After listing the various safeguards that can be put in place to facilitate a safe international data transfer, Capture then lists the factors that must be considered if it's necessary to make an international transfer without using these safeguards:
All companies that regularly process personal data should keep some records of this. For companies of over 250 employees, records of data processing should be quite detailed and extensive.
You can use your Data Protection Policy to set out what types of information must be recorded. You may also require your staff to keep data processing records using a prescribed system and format.
Here's an example from seAp (at page 7):
Note how the clause starts out by stating that record keeping is a GDPR requirement. It then lists out what the records must include.
Your organization may need to store files which contain personal data, e.g. customer databases, mailing lists, etc. This is different from the records of data processing activity described above.
Because of the GDPR's strict data protection requirements, you must ensure that any personal data in your organization's possession is kept secure. This means only collecting personal data that you actually need, and employing technical measures such as anonymization, pseudonymization and encryption.
The University of West London's Data Protection Policy includes specific rules about transporting personal data rather than transferring it to another person (at page 14):
Other Data Protection Policies contain more general information on data security, such as this one from OAC:
The GDPR only allows for personal data to be shared under an appropriate legal basis. It will be for your organization to determine its legal basis for sharing personal data in each case. Your Data Protection Policy can be used to explain the implications of this to your staff.
Here's an example from Brighton Oasis Project, which sets out some of the practical restrictions on sharing personal data (at page 12):
Under the GDPR, it's essential that you are transparent about how long you will be retaining personal data, and that you do not store personal data for longer than you need it.
This is another area where some companies operate a separate Data Retention Policy. This is fine, but if you choose to create a separate policy make sure that you make reference to it in your main Data Protection Policy.
Here's how MCA Cooper Associates does this:
It might not be reasonable to expect your staff to comply with strict data protection standards simply because they have read your organization's Data Protection Policy.
If you provide any staff training around data protection, and you should definitely consider doing so, you can make reference to this in a section of your policy. This will also reinforce how important it is that staff engage with this training.
Here's how Canterbury Christ Church University does this:
Creating a Data Protection Policy will be the end product of a complete review of your organization's data and privacy practices.
It's your chance to demonstrate to your staff, your Data Protection Authority, and your customers that you've done everything that's required to meet your obligations. And it makes sure that everyone in your organization knows that they must treat personal data with respect.
You can include the following sections in your Data Protection Policy:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.