GDPR Data Protection Policy

GDPR Data Protection Policy

In the first eight months of the EU General Data Protection Regulation (GDPR), 59,000 data breaches were reported. Initially, this sounds somewhat worrying. Are data protection standards falling short? Are there some serious flaws in the data security infrastructure? Have cybercriminals suddenly got a lot more sophisticated?

These concerns may be well-founded. But there could be another reason for this large number of breach reports.

Organizations have used the GDPR as an opportunity to look carefully at their data protection practices. They've put policies and systems in place that have helped them identify and respond to threats. They've become more aware, and more accountable. More breaches are actually being noticed and thus reported.

A crucial step in making this change in your organization is to have a Data Protection Policy. This policy sets out the expectations on your staff and details the methods you employ to process personal data securely.


What is a Data Protection Policy?

A Data Protection Policy sets out your organization's approach to complying with your obligations under data protection law. It explains things like:

  • Your organization's privacy and data processing principles
  • The expectations and rules around how your staff must treat personal data
  • Procedures for reporting data breaches and other concerns

A Data Protection Policy is a way for you to ensure that everyone working for your organization is on the same page when it comes to complying with laws such as the GDPR. Once the policy is written, you can ask your organization's staff and contractors to read it carefully and agree to abide by it.

Producing a Data Protection Policy is also an essential way to demonstrate to your Data Protection Authority that your organization is doing everything necessary to keep personal data safe.

Data Protection Policy vs Privacy Policy

Data Protection Policy vs Privacy Policy

Your Data Protection Policy will be used for internal purposes. It is mainly written for people who work for your organization. This distinguishes a Data Protection Policy from a Privacy Policy, which is written for the public.

It's worth noting that some companies do refer to their Privacy Policy as a "Data Protection Policy." For example, here's the introduction to EBV Elektronik's Data Protection Policy:

EBV Elektronik Data Protection Policy: Introduction clause

This policy is addressed to EBV Elektronik's customers referred to as "data subjects" or the individuals whose personal data is being processed.

Contrast this with the introduction to Pulso's Data Protection Policy:

Pulso Personal Data Protection Policy: Purpose, Scope and Users clause with users section highlighted

This is the more common use of the term "Data Protection Policy," and it's the type of document we'll looking at in this article.

Although this is an internally-facing document, there is no reason you can't make your Data Protection Policy available to the public. We're going to be looking at some examples of Data Protection Policies from companies who have done just that. Making your policies public can reassure your customers that your organization takes its responsibilities seriously.

Does Your Organization Need a Data Protection Policy?

The need for a Data Protection Policy can be interpreted from Article 24 of the GDPR:

EUR-Lex GDPR Article 24: Responsibility of the Controller

This part of the GDPR requires that "data controllers" (anyone who decides how and why personal data is processed) take the necessary measures to demonstrate compliance with the GDPR. Where "proportionate," they should also produce a policy in relation to these measures.

When considering whether this would be a proportionate measure for your organization, consider:

  • The amount of personal data you process - does collecting personal data form part of your organization's "core activities?"
  • The type of personal data you process - do you sometimes collect personal data of a sensitive nature?
  • The ways in which you process personal data - is there a significant risk that you might suffer a data breach?

If you answer "yes" to any of these questions, then it's important that you have a Data Protection Policy in place.

However, even if you answer "no" to the questions above, it's worth considering adopting such a policy. It's essential that your organization can demonstrate that it has thought carefully about how it processes and protects personal data.

A Data Protection Policy is the best way to present this information. It also means you are less likely to experience any data protection related problems. Staff within your organization will have a clear notion of the GDPR's importance for their day-to-day activities. So, if you do suffer any security issues, you'll be better placed to contain them.

Having a Data Protection Policy in place will mean that you are able to show your Data Protection Authority that you have been proactive in trying to meet your obligations under the law. This is one of the factors that can be taken into account when determining whether a organization should receive a penalty following a data breach.

What if Your Organization is Based Outside of the EU?

The GDPR applies to your organization so long as it does one of the following two things in respect to people in the EU:

  • Offers them goods and services (whether pursuing a profit or not), or
  • Monitors their behavior (this includes using personalized ads involving targeting cookies).

This is irrespective of whether you have any base in the EU. This applies even if none of your staff have set foot in an EU country. If you meet the conditions above, you still need to abide by the GDPR, like any European organization would, whenever you're processing the personal data of people in the EU.

What to Include in Your Data Protection Policy

What to Include in Your Data Protection Policy

The contents of your Data Protection Policy will vary depending on the size, industry and activities of your organization. Let's look at some of the sections that frequently show up in a Data Protection Policy.

Introduction

A brief introduction should give the name of your organization and explain the purpose of your Data Protection Policy.

Here's an example from Adviza, which calls its introduction its "purpose" section:

Adviza Data Protection Policy: Purpose clause

Adviza does a good job of explaining the legal, ethical and practical reasons that it has introduced a Data Protection Policy, including to comply with laws, protect data subject rights, protect themselves from the risks of a data breach, follow good practices and be open and transparent.

Definitions

The GDPR encourages documentation to be written in simple language. This is particularly true in the case of your Privacy Policy. Although your Data Protection Policy is written for your staff rather than your customers, it still makes sense to ensure that everyone who reads it can understand it.

Terms like "personal data," "data controller" and "data subject" are not easily understood to those with no experience with data protection law. If you're going to use terms like this (and to some extent this is unavoidable), you should include a section in your Data Protection Policy which defines them.

Here's an excerpt from the "definitions" section of the National Portrait Gallery's Data Protection Policy:

National Portrait Gallery Data Protection Policy: Definitions clause excerpt

Scope

Setting out the scope of your Data Protection Policy makes it clear what activities the policy applies to and who is expected to read the document and comply with it.

Here's an example from the University of Nottingham:

University of Nottingham Data Protection Policy: Scope clause

The clause states that the policy applies to all personal data processed regardless of where the data is stored and regardless of who the data subject is. It notes who is responsible for ensuring compliance and who is responsible for overseeing the policy. It also includes contact information for the Data Protection Officer.

Principles

The GDPR provides a set of principles by which all processing of personal data must take place. Your organization should try to embed these principles within the culture of your data processing activity.

Sometimes a Data Protection Policy will first list the GDPR's principles and then set out how these apply to the organization.

Here's an example from the Local Government Association. First, it lists the principles of the GDPR (or rather, its UK variant the Data Protection Act 2018), with little deviation from the original text:

LGA Data Protection Policy: Summary of Principles clause excerpt

Then, the policy relates this to the overall principles of the organization, disclosing what LGA will do to uphold the principles:

LGA Data Protection Policy: Summary of Principles clause excerpt

Accountability and Responsibility

You should ensure you give details of the "chain of command" when it comes to enforcing your Data Protection Policy within your organization. For smaller organizations, you may be able to cover this in your "scope" section.

Sometimes a Data Protection Policy will set out who is accountable for oversight of data processing within an organization.

Here's how Ajenta does this:

Ajenta Data Protection Policy: Our Commitment - Accountability clause

And here's an excerpt from the relevant section of Just IT's Data Protection Policy, which presents a somewhat more complex hierarchy of responsibility:

Just IT Data Protection Policy: Lines of Responsibility clause excerpt

Data Subject Rights

The GDPR provides "data subjects" (individuals) with 8 user rights that allow them to access and exert control over their personal data. If you're storing an individual's personal data, you're required to help that individual exercise their data subject rights.

A Data Protection Policy is a good way to explain to your staff what they should do in the event that an individual makes a request regarding their personal data.

For example, here's how the University of Edinburgh suggests staff respond if they received a subject access request:

University of Edinburgh Records Management: Guidance for all Staff on Handling Subject Access Requests - What to do to respond and Concerns clauses

This gives a lot of leeway to staff as they can decide on their own if they respond to a request for information.

Other organizations take a different approach. Here's the relevant section of Uppingham College's Data Protection Policy (see page 8):

Uppingham College Data Protection Policy: Subject access requests and other rights of individuals clause excerpt

Note how this organization maintains far more control over the process by having one party (the DPO) deal with addressing subject access requests.

Whatever your own process is, disclose it and make sure your users know how to exercise their rights.

Breach Reporting Procedure

It's crucial that your organization has a process in place for reporting and containing data breaches as soon as they are detected.

Many organizations have a separate Data Breach Notification Policy. If this applies to you, make sure you incorporate this into your main Data Protection Policy.

Here's how the Scottish Funding Council does this. A link to the "Data Breach Procedure" is provided in the "Staff Responsibilities" section (on page 6):

Scottish Funding Council Data Protection Policy: Staff responsibilities and data security clause with data breach procedures

Here's another approach by North Ayrshire Council. Its Data Protection Policy contains a section on managing data breaches (at page 13). This contains a brief explanation of what staff should do in the event that they become aware of a data breach, and it also links to the full policy.

North Ayrshire Council Data Protection Policy: Management of Data Incidents and Breaches clause

International Data Transfers

The GDPR imposes strict rules on the transferring of personal data to countries outside of the EU. Transferring personal data to "third country" without adequate safeguards in place could be considered a data breach, so it's important that staff within your organization understand the importance of these rules.

Here's an excerpt from the relevant section of Capture's Data Protection Policy:

Capture Data Protection Policy: Data Transfers clause excerpt

After listing the various safeguards that can be put in place to facilitate a safe international data transfer, Capture then lists the factors that must be considered if it's necessary to make an international transfer without using these safeguards:

Capture Data Protection Policy: Data Transfers Exceptions clause

Data Processing Records

All companies that regularly process personal data should keep some records of this. For companies of over 250 employees, records of data processing should be quite detailed and extensive.

You can use your Data Protection Policy to set out what types of information must be recorded. You may also require your staff to keep data processing records using a prescribed system and format.

Here's an example from seAp (at page 7):

seAp Data Protection Policy: Record Keeping clause excerpt

Note how the clause starts out by stating that record keeping is a GDPR requirement. It then lists out what the records must include.

Data Security

Your organization may need to store files which contain personal data, e.g. customer databases, mailing lists, etc. This is different from the records of data processing activity described above.

Because of the GDPR's strict data protection requirements, you must ensure that any personal data in your organization's possession is kept secure. This means only collecting personal data that you actually need, and employing technical measures such as anonymization, pseudonymization and encryption.

The University of West London's Data Protection Policy includes specific rules about transporting personal data rather than transferring it to another person (at page 14):

University of West London Data Protection Policy: Security - Transport of personal data clause

Other Data Protection Policies contain more general information on data security, such as this one from OAC:

OAC Data Protection Policy: Data Security clause

Sharing of Personal Data

The GDPR only allows for personal data to be shared under an appropriate legal basis. It will be for your organization to determine its legal basis for sharing personal data in each case. Your Data Protection Policy can be used to explain the implications of this to your staff.

Here's an example from Brighton Oasis Project, which sets out some of the practical restrictions on sharing personal data (at page 12):

Brighton Oasis Project Data Protection and Information Sharing Policy: Information Sharing Security clause

Data Retention

Under the GDPR, it's essential that you are transparent about how long you will be retaining personal data, and that you do not store personal data for longer than you need it.

This is another area where some companies operate a separate Data Retention Policy. This is fine, but if you choose to create a separate policy make sure that you make reference to it in your main Data Protection Policy.

Here's how MCA Cooper Associates does this:

MCA Cooper Associates Data Protection Policy: Data Retention clause

Training

It might not be reasonable to expect your staff to comply with strict data protection standards simply because they have read your organization's Data Protection Policy.

If you provide any staff training around data protection, and you should definitely consider doing so, you can make reference to this in a section of your policy. This will also reinforce how important it is that staff engage with this training.

Here's how Canterbury Christ Church University does this:

Canterbury Christ Church University Data Protection Policy: Data Protection Training clause

Summary

Creating a Data Protection Policy will be the end product of a complete review of your organization's data and privacy practices.

It's your chance to demonstrate to your staff, your Data Protection Authority, and your customers that you've done everything that's required to meet your obligations. And it makes sure that everyone in your organization knows that they must treat personal data with respect.

You can include the following sections in your Data Protection Policy:

  • An introduction that sets out the reasons for the policy
  • Definitions of important terms
  • The scope of the policy and the people to whom it applies
  • Your organization's data protection principles
  • Details of who is responsible for enforcing the policy
  • A process for facilitating data subject rights requests
  • A breach notification process, or reference to a separate policy
  • Rules around international data transfers
  • A protocol on keeping data processing records
  • Details of your organization's data security standards
  • Rules around the sharing of personal data
  • Information about how long personal data will be retained within your organization
  • Details of any staff training on data protection you provide
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.