fbpx

Data Protection Policies and Procedures

One of the vital elements of GDPR compliance is having proper policies and procedures in place. But have you ever asked yourself what these policies and procedures should contain?

Why does an organisation need Data protection policies and procedures in place? First of all, there is a legal obligation to do so. Second of all, since every company incorporates measures regarding the protection of the personal data of its clients/customs, it is a matter of good reputation. Unfortunately the alternative means more than just reputational damages. It could result in hefty fines of up to 4% of the annual company’s turnover, or up to €20 million.

The Contents of the Data Protection Policy and Procedure

Each company’s data protection policy and procedure should be created to suit its specific business. For example, if the organisation doesn’t collect customer personal data, there is no point in having all the relevant sections into the data policy and procedure. In this case, it will be only relevant to have the sections explaining how the organisation processes and stores the employee’s personal data.

For this reason the only thing in common between the data protection policies and procedures of each companies is the data protection principles of the GDPR, that should be implemented into the policies and procedures.

Data held by a company must:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

It is vital that the policy addresses each of these points, and explains how the organisation will guarantee each is respected. Among these are chapters/titles regarding how the company will ensure the data is lawfully obtained, how it’s kept up-to-date if any changes are made, how the company plans on keeping the data safe from unauthorised access, how the data will be removed when it’s no longer needed and how it will guarantee the data is removed from all systems.

The GDPR also adds a new principle in – the principle of accountability. According to it the organisation should highlight whose responsibility it is to enforce the data protection policies upon the organisation. The policy and procedure should further outline how the organisation’s staff complies with these policies, and any procedures the business has in place if staff fails to do so.

Article 24 of the GDPR states that data controllers must implement “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation”. These measures “shall include the implementation of appropriate data protection policies by the controller”.

Policies are high-level internal documents that set principles, rather than details of how, what and when things should be done – which are covered by procedures.

Policies must:

  • Be capable of implementation and enforceable;
  • Be concise and easy to understand; and
  • Balance protection with productivity.

Further, the policy must cover why the policy is needed, the contacts and responsibilities of the responsible professionals, the objectives and special topic covering how it handle the violations.


We know that creating your own data protection policy could be tricky. Luckily, there are well-educated and experience experts ready to help you. Contact us for more information!

Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.

Leave a Reply

Your email address will not be published.