Data protection policy or policies | Template and guidance

///Data protection policy or policies | Template and guidance
Data protection policy or policies | Template and guidance 2018-11-23T14:45:45+00:00

A data protection policy ensures and demonstrates that a controller processes personal data in accordance with data protection law (like the GDPR). Often organisations implement multiple data protection policies that collectively achieve this objective. They come in various different forms. Some people call it a data privacy policy, a protection of personal information policy or a POPI policy. Whatever you call it, it is always important to decide why you want one, what the policy is actually going to deal with and who the intended audience is. If you’ve already got one of these policies, don’t just rely on the name to tell you what it is – read it to determine what it actually covers.

Some people confuse a data protection policy with a standard, but this is something different. A data protection standard and a code of conduct are different things. Just to be clear this is not an internal employee privacy policy that deals with how an organisation processes the personal information of its employees or an external customer privacy policy. This is also not a corporate or legal compliance policy. These are all different things. In this article, we’re looking at a data protection policy or data protection policies.

What are data protection policies?

Let us start with how the law says about them.

  • Binding corporate rules are particular kinds of data protection policies (or personal information processing policies) that apply within a group of undertakings when personal data is transferred between countries (see definition of “binding corporate rules” in the GDPR and POPIA).
  • Article 24 of the GDPR says that some controllers should implement “appropriate data protection policies … to ensure and be able to demonstrate that processing is performed in accordance with” the GDPR. They should be reviewed and updated where necessary. These data protection policies are only necessary where they are required (proportionate) in relation to their processing activities. In deciding whether they need data protection policies, each controller must take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
  • Recital 78 of the GDPR says that “In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies …  which meet in particular the principles of data protection by design and data protection by default.
  • Section 109(3) of POPIA says that “when determining an appropriate fine, the Regulator must consider … any failure to operate good policies, procedures and practices to protect personal information“.
  • Section 77H says that “The Information Regulator … may make an assessment … of whether a public or private body generally complies with the provisions of this Act insofar as its policies and implementation procedures are concerned.

So what does this mean for us? Well firstly, data protection policies are not compulsory – controllers only need to put them in place when appropriate and necessary. But having good data protection policies will probably help you reduce the amount of a possible fine. Essentially, data protection policies should help a controller to process personal data in accordance with data protection law.

Not all controllers are obliged to have data protection policies.

A data protection policy should regulate the way in which employees (and maybe processors) process personal data with the aim of protecting it. A good policy sets out clearly how your organisation deals with a certain issue. In this case, the issue is the protection of personal data and your data protection policy should make it clear how your organisation will protect personal data so that it complies with data protection law. Data protection law is principle-based rather than rule-based. This provides organisations with flexibility in how they apply them. The purpose of your data protection policy is to explain how you comply with the principles.

The policy must dovetail with your organisation’s other policies and policy framework. An Acceptable Use of IT Policy is an example of a data protection policy. The target audience should be all employees who process personal data, but especially managers. And maybe processors (aka operators).

It can be that you have lots of different policies that collectively make up your data protection policy.

We believe that if you need a data protection policy and irrespective of where you are in the world, you should have a data protection policy that applies to all the data protection laws you must comply with and not just one of them (like POPIA). You should only have a POPI Policy if you only have to comply with POPI.

Why is a Data Protection Policy important?

It is an important part of complying with data protection law. If a regulator or authority decides to fine you, it must consider whether you failed to operate good protection of personal information policies, procedures and practices. If you want to reduce a possible fine you might get, you need to operate good protection of personal information policies, procedures and practices.

How can we help you?

  • Put a data protection policy (or data protection policies) in place by asking us to draft one for you.
  • Update your organisation’s existing data protection policy (or data protection policies) by asking us to review it and if necessary add to your existing policies. Sometimes this can be easier than trying to draft a new one. We’ll ensure that your existing data protection policy is up-to-date and in line with the latest trends.

What should be in a Data Protection Policy?

They often have some general policy statements and then deal with some specific areas, like:

  • Paper records
  • Record retention, including retaining personal data
  • Email and personal productivity software
  • Remote access
  • Laptops and other mobile storage devices (incl. Mobile Phones, PDAs, USB memory sticks, External Hard Drives, etc.)
  • Using wireless networks
  • Data transfers and encryption
  • Posting of paper documents
  • Appropriate access and audit trail monitoring
  • Disposal of paper and media
  • Incident response

Here are two sample Data Protection Policy templates that you can download and review:

  1. White Fuse Data Protection Policy: GDPR ready template for charities.
  2. Simply-Docs GDPR Data Protection Policy.

Characteristics of a good protection of personal information policy

  • short and to the point
  • in plain and understandable language
  • well structured
  • consistent
  • in accordance with and in line with the latest laws and rules
  • clear on what is permitted and what is not – concise and practical
  • specific, relevant and applicable to the target audience


If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.