Data protection policy or policies | Template and guidance

///Data protection policy or policies | Template and guidance
Data protection policy or policies | Template and guidance2019-03-07T20:05:47+02:00
  • IT acceptable use policy or IT policies like email use policy, BYOD policy, computer usage policy or internet usage policy, data protection policy or protection of personal information policy

A data protection policy demonstrates that a controller processes personal data in accordance with data protection law (like the GDPR), states the governing body’s commitment to deliver products or services in compliance with data protection laws and its accountability to data subjects. Some organisations implement multiple data protection policies that collectively achieve this objective. They come in various different forms. Some call it a data privacy policy, a personal data policy, a protection of personal information policy or a POPI policy. Whatever you call it, it is always important to decide why you want one, what the policy is actually going to deal with and who the intended audience is. If you’ve already got one of these policies, don’t just rely on the name to tell you what it is – read it to determine what it actually covers.

Some people confuse a data protection policy with a standard, but this is something different. A data protection standard and a code of conduct are different things. Just to be clear a data protection policy is not:

  • a Human Resources Data Protection Policy (aka an internal employee privacy policy) that deals with how an organisation processes the personal information of its employees,
  • an external customer privacy policy,
  • a general corporate or legal compliance policy, which sometimes covers what is in a data protection policy but in a general way,
  • a project charter.

These are all different things. In this article, we’re looking at a data protection policy or data protection policies.

What are data protection policies?

Let us start with how the law says about them.

  • Binding corporate rules are particular kinds of data protection policies (or personal information processing policies) that apply within a group of undertakings when personal data is transferred between countries (see definition of “binding corporate rules” in the GDPR and POPIA).
  • Article 24 of the GDPR says that some controllers should implement “appropriate data protection policies … to ensure and be able to demonstrate that processing is performed in accordance with” the GDPR. They should be reviewed and updated where necessary. These data protection policies are only necessary where they are required (proportionate) in relation to their processing activities. In deciding whether they need data protection policies, each controller must take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
  • Recital 78 of the GDPR says that “In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies …  which meet in particular the principles of data protection by design and data protection by default.
  • Section 109(3) of POPIA says that “when determining an appropriate fine, the Regulator must consider … any failure to operate good policies, procedures and practices to protect personal information“.
  • Section 77H says that “The Information Regulator … may make an assessment … of whether a public or private body generally complies with the provisions of this Act insofar as its policies and implementation procedures are concerned.

So what does this mean for us? Well firstly, data protection policies are not compulsory – controllers only need to put them in place when appropriate and necessary. But having good data protection policies will probably help you reduce the amount of a possible fine. Essentially, data protection policies should help a controller to process personal data in accordance with data protection law.

Not all controllers are obliged to have data protection policies.

A data protection policy should regulate the way in which employees (and maybe processors) process personal data with the aim of protecting it. A good policy sets out clearly how your organisation deals with a certain issue. In this case, the issue is the protection of personal data and your data protection policy should make it clear how your organisation will protect personal data so that it complies with data protection law. Data protection law is principle-based rather than rule-based. This provides organisations with some flexibility in how they comply with them. The purpose of your data protection policy is to explain how your specific organisation comply with data protection laws.

The policy must dovetail with your organisation’s other policies and policy framework. An Acceptable Use of IT Policy is an example of a data protection policy.

It can be that you have lots of different policies that collectively make up your data protection policy.

We believe that irrespective of where you are in the world, you should have a data protection policy that applies to all the data protection laws you must comply with and not just one of them (like POPIA). You should only have a POPI Policy if you only have to comply with POPI.

Who is the target audience?

The target audience should be everyone within the organisation, especially all employees who process personal data, but especially decision makers or managers. And relevant interested third parties, as appropriate. For example, processors (aka operators).

Why is a Data Protection Policy important?

It is an important part of complying with data protection law. If a regulator or authority decides to fine you, it must consider whether you failed to operate good protection of personal information policies, procedures and practices. If you want to reduce a possible fine you might get, you need to operate good protection of personal information policies, procedures and practices.

Some data protection standards require that you have one. Bureau Veritas has released a GDPR & personal data protection technical standard which you can download and read.

The King Code says that the governing body must set the direction (or strategy) for how the organisation should approach and address compliance, and approve policy that gives effect to its direction and identifies the non-binding rules, codes and standards the organisation adopts.

How can we help you?

  • Put a data protection policy (or data protection policies) in place by asking us to draft one for you.
  • Update your organisation’s existing data protection policy (or data protection policies) by asking us to review it and if necessary add to your existing policies. Sometimes this can be easier than trying to draft a new one. We’ll ensure that your existing data protection policy is up-to-date and in line with the latest trends.

What should be in a Data Protection Policy?

They often have some general policy statements.

  • A statement of the data protection laws that the organisation must comply with, any codes of conduct the organisation has decided to comply with and any specific customer requirements.
  • A statement of what data protection compliance means to the specific organisation.
  • A commitment to deliver products or services in compliance with applicable law and its accountability to customers and data subjects.
  • A commitment to the protection of personal data, including the prevention of personal data breaches.
  • A commitment to comply with its regulatory obligations under data protection law.
  • A commitment to do what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly to its activities.
  • A commitment to implement technical and organisational measures within the organisation to ensure compliance.

The policy should set out the organisational roles, responsibilities and authorities, including who deputises. Some call this the governance structure for compliance.

Many then set out how the organisation applies the data protection principles to its activities.

They then also often deal with some specific areas, like:

  • Paper records
  • Record retention, including retaining personal data
  • Email and personal productivity software
  • Remote access
  • Laptops and other mobile storage devices (incl. Mobile Phones, PDAs, USB memory sticks, External Hard Drives, etc.)
  • Using wireless networks
  • Data transfers and encryption
  • Posting of paper documents
  • Appropriate access and audit trail monitoring
  • Disposal of paper and media
  • Incident response

Here are two sample Data Protection Policy templates that you can download and review:

  1. White Fuse Data Protection Policy: GDPR ready template for charities.
  2. Simply-Docs GDPR Data Protection Policy.

Characteristics of a good protection of personal information policy

  • short and to the point
  • in plain and understandable language
  • well structured
  • consistent
  • in accordance with and in line with the latest laws and rules
  • clear on what is permitted and what is not – concise and practical
  • specific, relevant and applicable to the target audience

Interested?

If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.