fbpx

Data Protection Policies and Procedures

One of the vital elements of GDPR compliance is having proper policies and procedures in place. But have you ever asked yourself what these policies and procedures should contain?

Why does an organisation need Data protection policies and procedures in place? First of all, there is a legal obligation to do so. Second of all, since every company incorporates measures regarding the protection of the personal data of its clients/customs, it is a matter of good reputation. Unfortunately the alternative means more than just reputational damages. It could result in hefty fines of up to 4% of the annual company’s turnover, or up to €20 million.

The Contents of the Data Protection Policy and Procedure

Each company’s data protection policy and procedure should be created to suit its specific business. For example, if the organisation doesn’t collect customer personal data, there is no point in having all the relevant sections into the data policy and procedure. In this case, it will be only relevant to have the sections explaining how the organisation processes and stores the employee’s personal data.

For this reason the only thing in common between the data protection policies and procedures of each companies is the data protection principles of the GDPR, that should be implemented into the policies and procedures.

Data held by a company must:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

It is vital that the policy addresses each of these points, and explains how the organisation will guarantee each is respected. Among these are chapters/titles regarding how the company will ensure the data is lawfully obtained, how it’s kept up-to-date if any changes are made, how the company plans on keeping the data safe from unauthorised access, how the data will be removed when it’s no longer needed and how it will guarantee the data is removed from all systems.

The GDPR also adds a new principle in – the principle of accountability. According to it the organisation should highlight whose responsibility it is to enforce the data protection policies upon the organisation. The policy and procedure should further outline how the organisation’s staff complies with these policies, and any procedures the business has in place if staff fails to do so.

Article 24 of the GDPR states that data controllers must implement “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation”. These measures “shall include the implementation of appropriate data protection policies by the controller”.

Policies are high-level internal documents that set principles, rather than details of how, what and when things should be done – which are covered by procedures.

Policies must:

  • Be capable of implementation and enforceable;
  • Be concise and easy to understand; and
  • Balance protection with productivity.

Further, the policy must cover why the policy is needed, the contacts and responsibilities of the responsible professionals, the objectives and special topic covering how it handle the violations.


We know that creating your own data protection policy could be tricky. Luckily, there are well-educated and experience experts ready to help you. Contact us for more information!

Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.

1,920 thoughts on “Data Protection Policies and Procedures

  1. Rivka Asper says:

    An fascinating discussion is value comment. I think that it’s best to write more on this topic, it won’t be a taboo topic but usually persons are not sufficient to speak on such topics. To the next. Cheers

  2. bull market 1920s says:

    Thank you, I have just been searching for info about this subject for ages and yours is the best I have discovered so far. But, what about the bottom line? Are you sure about the source?

  3. cholesterol says:

    naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling issues and I to find it very bothersome to inform the truth then again I¦ll surely come back again.

  4. other says:

    I’ve been exploring for a little bit for any high-quality articles or blog posts on this kind of area . Exploring in Yahoo I at last stumbled upon this site. Reading this info So i’m happy to convey that I have a very good uncanny feeling I discovered just what I needed. I most certainly will make certain to don’t forget this website and give it a look on a constant basis.

  5. custom insurance says:

    Hello there, just became alert to your blog through Google, and found that it is really informative. I am going to watch out for brussels. I will appreciate if you continue this in future. Lots of people will be benefited from your writing. Cheers!

  6. serrurier à vevey says:

    I will immediately take hold of your rss feed as I can’t find your e-mail subscription hyperlink or newsletter service. Do you have any? Kindly allow me recognize in order that I could subscribe. Thanks.

  7. serrurier à vevey says:

    Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You clearly know what youre talking about, why throw away your intelligence on just posting videos to your site when you could be giving us something informative to read?

  8. Reginald Schimming says:

    What i don’t realize is actually how you’re not actually much more well-liked than you may be now. You are very intelligent. You realize therefore considerably relating to this subject, made me personally consider it from a lot of varied angles. Its like women and men aren’t fascinated unless it’s one thing to do with Lady gaga! Your own stuffs outstanding. Always maintain it up!

  9. Jerry Wittrup says:

    Great paintings! This is the kind of info that are supposed to be shared around the web. Disgrace on the seek engines for no longer positioning this put up upper! Come on over and consult with my site . Thank you =)