Some people confuse a data protection policy with a standard, but this is something different. A data protection standard and a code of conduct are different things. Just to be clear a data protection policy is not:
- a general corporate or legal compliance policy, which sometimes covers what is in a data protection policy but in a general way,
- a project charter.
These are all different things. In this article, we’re looking at a data protection policy or data protection policies.
What are data protection policies?
Let us start with how the law says about them.
- Binding corporate rules are particular kinds of data protection policies (or personal information processing policies) that apply within a group of undertakings when personal data is transferred between countries (see definition of “binding corporate rules” in the GDPR and POPIA).
- Article 24 of the GDPR says that some controllers should implement “appropriate data protection policies … to ensure and be able to demonstrate that processing is performed in accordance with” the GDPR. They should be reviewed and updated where necessary. These data protection policies are only necessary where they are required (proportionate) in relation to their processing activities. In deciding whether they need data protection policies, each controller must take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
- Recital 78 of the GDPR says that “In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies … which meet in particular the principles of data protection by design and data protection by default.“
- Section 109(3) of POPIA says that “when determining an appropriate fine, the Regulator must consider … any failure to operate good policies, procedures and practices to protect personal information“.
- Section 77H says that “The Information Regulator … may make an assessment … of whether a public or private body generally complies with the provisions of this Act insofar as its policies and implementation procedures are concerned.“
So what does this mean for us? Well firstly, data protection policies are not compulsory – controllers only need to put them in place when appropriate and necessary. But having good data protection policies will probably help you reduce the amount of a possible fine. Essentially, data protection policies should help a controller to process personal data in accordance with data protection law.
Not all controllers are obliged to have data protection policies.
A data protection policy should regulate the way in which employees (and maybe processors) process personal data with the aim of protecting it. A good policy sets out clearly how your organisation deals with a certain issue. In this case, the issue is the protection of personal data and your data protection policy should make it clear how your organisation will protect personal data so that it complies with data protection law. Data protection law is principle-based rather than rule-based. This provides organisations with some flexibility in how they comply with them. The purpose of your data protection policy is to explain how your specific organisation comply with data protection laws.
It can be that you have lots of different policies that collectively make up your data protection policy.
We believe that irrespective of where you are in the world, you should have a data protection policy that applies to all the data protection laws you must comply with and not just one of them (like POPIA). You should only have a POPI Policy if you only have to comply with POPI.
Who is the target audience?
The target audience should be everyone within the organisation, especially all employees who process personal data, but especially decision makers or managers. And relevant interested third parties, as appropriate. For example, processors (aka operators).
Why is a Data Protection Policy important?
It is an important part of complying with data protection law. If a regulator or authority decides to fine you, it must consider whether you failed to operate good protection of personal information policies, procedures and practices. If you want to reduce a possible fine you might get, you need to operate good protection of personal information policies, procedures and practices.
The King Code says that the governing body must set the direction (or strategy) for how the organisation should approach and address compliance, and approve policy that gives effect to its direction and identifies the non-binding rules, codes and standards the organisation adopts.
How can we help you?
- Put a data protection policy (or data protection policies) in place by asking us to draft one for you.
- Update your organisation’s existing data protection policy (or data protection policies) by asking us to review it and if necessary add to your existing policies. Sometimes this can be easier than trying to draft a new one. We’ll ensure that your existing data protection policy is up-to-date and in line with the latest trends.
What should be in a Data Protection Policy?
They often have some general policy statements.
- A statement of the data protection laws that the organisation must comply with, any codes of conduct the organisation has decided to comply with and any specific customer requirements.
- A statement of what data protection compliance means to the specific organisation.
- A commitment to deliver products or services in compliance with applicable law and its accountability to customers and data subjects.
- A commitment to the protection of personal data, including the prevention of personal data breaches.
- A commitment to comply with its regulatory obligations under data protection law.
- A commitment to do what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly to its activities.
- A commitment to implement technical and organisational measures within the organisation to ensure compliance.
The policy should set out the organisational roles, responsibilities and authorities, including who deputises. Some call this the governance structure for compliance.
Many then set out how the organisation applies the data protection principles to its activities.
They then also often deal with some specific areas, like:
- Paper records
- Record retention, including retaining personal data
- Email and personal productivity software
- Remote access
- Laptops and other mobile storage devices (incl. Mobile Phones, PDAs, USB memory sticks, External Hard Drives, etc.)
- Using wireless networks
- Data transfers and encryption
- Posting of paper documents
- Appropriate access and audit trail monitoring
- Disposal of paper and media
- Incident response
Here are two sample Data Protection Policy templates that you can download and review:
- White Fuse Data Protection Policy: GDPR ready template for charities.
- Simply-Docs GDPR Data Protection Policy.
Characteristics of a good protection of personal information policy
- short and to the point
- in plain and understandable language
- well structured
- in accordance with and in line with the latest laws and rules
- clear on what is permitted and what is not – concise and practical
- specific, relevant and applicable to the target audience
If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.