A GDPR Data Policy, sometimes referred to as a Data Protection Policy, is a policy created for internal use at an organization that outlines how the company and its employees are to handle personal data. A GDPR Data Policy will cover topics found in a public-facing Privacy Policy, such as what personal data is collected, how it is to be used, what rights data subjects have, and how the data is to be kept secured, but the scope will be to inform employees and staff about what their role is in each context.

Remember: A Data Policy is usually for internal usage, while a Privacy Policy is more for informing the public and external usage.