The EU General Data Protection Regulation (GDPR) came into force in May of 2018, and it most likely had a significant impact on your business. Consumers are increasingly aware of their data protection and privacy rights, and the GDPR requires that you operate with total transparency, by offering all relevant information up-front to your users.
But while it's important to consider the public-facing aspects of your business, you also need to consider your internal processes.
In order to avoid the potential penalties and fines that Data Protection Authorities can impose, you need to make sure you have both clear and accessible public information, and also a robust set of internal policies.
- 1. What is the Purpose of a GDPR Data Protection Policy?
- 2. Does Your Company Need a GDPR Data Protection Policy?
- 2.1. Does a Non-EU Company Still Need a GDPR Data Protection Policy?
- 3. How Might a GDPR Data Protection Policy Be Helpful?
- 4. Sections of a GDPR Data Protection Policy
- 4.1. Purpose
- 4.2. Glossary
- 4.3. Other Relevant Policies
- 4.4. Scope
- 4.5. Values
- 4.6. Chain of Responsibility
- 4.7. User Rights Requests
- 4.8. Data Storage
- 4.9. Data Breach Notification
- 4.10. Data Sharing
- 4.11. Staff Training
- 5. Summary
What is the Purpose of a GDPR Data Protection Policy?
A GDPR Data Protection Policy sets out your company's internal data protection rules and procedures.
Those documents are created for the public. They can be written in your company's voice, and produced according to its branding guidelines. But they are only a small part of your company's GDPR compliance. Just as important, if not more important, is getting everyone within your company on the same page when it comes to data protection.
Does Your Company Need a GDPR Data Protection Policy?
Most likely, yes. The requirement for a GDPR Data Protection Policy arises out of Article 24 of the GDPR:
"The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation."
"Where proportionate in relation to processing activities, [this] shall include the implementation of appropriate data protection policies by the controller."
Translation: if your company decides how and why personal data is processed, you must take practical steps to make sure you're complying with the GDPR. You must be able to demonstrate that you've taken these steps. Where proportionate, this should include creating a GDPR Data Protection Policy.
It's up to you to determine whether it would be 'proportionate' to create a GDPR Data Protection Policy. If you collect, store or otherwise use personal data regularly, it is probably going to be worth doing so.
Remember that "personal data" includes any information that can be feasibly linked to an "identifiable person," including names, email addresses, and even IP addresses.
Does a Non-EU Company Still Need a GDPR Data Protection Policy?
The GDPR applies to any non-EU company as much as it applies to an EU company, so long as the company:
- Offers goods and/or services to people in the EU, or
- Monitors the behavior of people in the EU (including via targeted ad campaigns).
If your company does either of these two things, there is no way to avoid complying with the GDPR whenever you're processing the personal data of people in the EU. So this might apply if, for example:
- You've developed an app that uses personalized ads, and you want that app to be available to EU users;
- You're exporting products to the EU;
- You provide online services and take payments in euros.
How Might a GDPR Data Protection Policy Be Helpful?
Having a GDPR Data Protection Policy in place might help you to avoid the following sorts of scenarios:
|Scenario||How a GDPR Data Protection Policy could help|
|Your marketing team puts out a tweet inviting people to send in their names and email addresses as part of a contest. They save the contestants' data in a spreadsheet. The spreadsheet is getting passed around by email, and is accidentally emailed to a client.||This would not only qualify as a data breach, but would also be a huge embarrassment. It could have been avoided by having a clear policy for storing customer data in a secure drive with limited access. If your employees are aware that a such policy exists, they have little excuse for not following it.|
|You've set up a central email address for receiving subject access requests (requests from customers to access their personal data). A customer makes a request with an employee via their personal email address. The employee ignores the request as it has not been made via the "proper" channel.||It's a great idea to set up a central email address for receiving subject access requests. However, you still need to respond to requests made via other routes. Failing to do this within 30 days would be an infringement of the GDPR. A Data Protection Policy could help ensure that everyone knows this.|
|You've made sure that everyone's work devices are locked down with passwords. All personal data is properly encrypted. Unfortunately, someone prints out a list of customer contact details and leaves it on a train.||Again, this would qualify as a data breach. It's very important to implement technical measures to keep personal data secure. But a Data Protection Policy can help ensure everyone is aware of the many other ways in which personal data could be leaked.|
A GDPR Data Protection Policy will help ensure you don't encounter these sorts of problems. But all of the above scenarios could still occur even with a Data Protection Policy in place. People make mistakes. Eventually, it is highly likely that someone in your company will make a mistake not dissimilar to one of those imagined above.
Explaining a mistake like a data breach to a GDPR Data Protection Authority, a client, or a customer can go one of two ways:
- Your company has no Data Protection Policy, and there's no clear guidance for what to do when a data protection issue comes up. Some people have heard of the GDPR, but they have no idea how it applies to them. Therefore, someone has (perhaps understandably) unintentionally violated the law.
- You explain that your company has a robust set of policies and procedures around data protection that comply with the GDPR and all other relevant data protection laws. Staff are required to agree to these policies, and refer to them whenever they have a data protection issue. On this occasion, someone failed to follow your policies.
The latter option is obviously preferable. And it doesn't take a huge amount of work to get to this point.
Sections of a GDPR Data Protection Policy
So long as your GDPR Data Protection Policy is GDPR-compliant, its contents are up to you. The GDPR makes no real specifications about what it must include, and these policies vary greatly between companies.
Although there's no "right" or "wrong" way to create a Data Protection Policy, there are certain things you'll definitely want to include. Let's take a look at some real examples of Data Protection Policies and their important sections.
What is the point of your Data Protection Policy? The first section of your policy should set out why it exists, and what you are hoping to achieve by creating it.
Here's how Ravensbourne University sets out the purpose of its Data Protection Policy, as part of a more general introduction:
Ravensbourne University explains the need for a new Data Protection Policy (upcoming changes to the law), and then goes on to set out the main purpose of the policy.
This section should serve as a broad introduction to the policy.
All data protection-related documents you produce should be written in clear and accessible language.
Set out the definitions of key terms at the beginning of your Data Protection Policy. Typically words that are assigned a limited and specific meaning in such policies are capitalized.
You may wish to define:
- Common terms as they are used in the context of your Data Protection Policy (e.g. "Employee," "Company," "Premises").
- Legal terms as they are defined by the GDPR or other relevant privacy laws (e.g. "Personal Data," "Processing," "Data Controller").
- Technical terms that you are assigning a specific meaning for the purposes of your Data Protection Policy (e.g. "Data Exporter," "Filing System," "Data Protection Law").
Here's an excerpt from ATPI's glossary:
Other Relevant Policies
Your GDPR Data Protection Policy might be just one of several privacy-related policies you have within your company.
Throughout this article, we'll be looking at how some specific areas of your GDPR Data Protection Policy might relate to or incorporate other policies. For example, you might have internal policies such as a:
- Data Breach Notification Policy
- Data Retention Policy
- Data Protection Impact Assessment Process
If so, your GDPR Data Protection Policy is a good place to make people aware of these other documents. You can do this early on in your policy.
Here's an example from the World Fair Trade Organization:
Defining the scope of your Data Protection Policy defines who and what the policy applies to. You should use this section to address the intended subjects of your Data Protection Policy, and to explain what activities it covers.
Here's an example from Community Connexions:
A major part of complying with the GDPR involves applying the principles of data processing throughout all your company's operations. These amount to a set of values which should be instilled in all your company's staff as deeply as possible.
Your Data Protection Policy is a good place to set out the values your company holds in relation to protecting personal data. This is a way to get everybody in your company on board with your compliance efforts.
Here's an interesting approach from The Reader:
This reads like a public-facing document, and, like all the examples we're looking at, it is publicly available.
Even if you're not planning to make your Data Protection Policy public, there's no reason you can't take a bold approach like this when espousing your company's privacy values.
Chain of Responsibility
Depending on the size of your company, you might use your Data Protection Policy to allocate different responsibilities to different people. You should try to make it clear, though, that data protection is everybody's responsibility, to some extent.
Here's an example from the Data Protection Policy of Crofton Baptist Church, which operates as a charitable trust. Here's the top of its "Data Operational Hierarchy":
These actors are not presented in terms of rank or seniority, but in relation to their operational responsibilities for personal data.
Here's a much simpler example from the Complementary and Natural Healthcare Council (CNHC):
"The DPA" is the Data Protection Act 2018, the UK's implementation of the GDPR.
User Rights Requests
Under the GDPR, individuals are empowered with a set of rights over their personal data. These rights enable them to obtain a copy of, erase and rectify their personal data. Data controllers have a special responsibility to help data subjects access these rights.
The GDPR doesn't set out a specific method for individuals to follow in order to exercise their user rights. This means that a request could come to anyone in your company, in practically any format, and you would still be expected to respond quickly and efficiently.
It's important, therefore, to use your Data Protection Policy to set out the expectations on any staff member who might receive such a request.
Here's how Orchard Oak Recruitment describes its process for facilitating requests under the right of access:
A lot of companies don't have data storage under control. Files can be found sitting around in people's drawers, or unshredded in waste bins. Unencrypted spreadsheets of names and addresses sit idly on people's desktops. Confidential email is accessed via personal mobile phones.
This is pretty basic stuff, and it's important to clearly set out the rules about data storage in your Data Protection Policy. Here's an example from iSAMS:
Data Breach Notification
Ensuring that your company has clear and robust procedures for recognizing and reporting a data breach is an essential part of GDPR-compliance.
The clock starts ticking once a data breach has occurred, and crucial moments could be lost if anyone in your company fails to act quickly.
You might have a separate Data Breach Notification Policy, or you might use your Data Protection Policy to set out such a procedure. Either way, the expectations of staff must be clear.
Often a Data Protection Policy will give a very brief instruction regarding what to do on discovering a breach, and refer staff to a separate Data Breach Notification Policy. Here's an example from Pinewood Group:
Under the GDPR, disclosing personal data to a third party is only permitted with a suitable legal basis. It's important that everyone in your company is aware of this. Sharing an individual's personal data without their consent, or some other valid reason, would constitute a data breach.
At the same time, it's important to emphasize that not sharing personal data might be unlawful under certain conditions.
To put this in context, here's an excerpt from the relevant section of Southway Housing's Data Protection Policy:
By this point in your Data Protection Policy, you'll have set out a broad range of expectations on staff. It might not be reasonable to expect them to understand and implement your policy without proper training.
If you place requirements on your staff to attend data protection training, you may wish to include reference to this in your Data Protection Policy. Here's an example from Hillingdon London Borough Council:
A GDPR Data Protection Policy should be the go-to resource for anyone in your company that has an issue or question relating to data protection.
It's also a great way to demonstrate to a Data Protection Authority, and even to your clients and customers, that you have this stuff under control.
Consider including some of these sections in your GDPR Data Protection Policy:
- A section explaining the purpose of the policy
- A glossary to give definitions
- The policy's scope
- Your company's values
- The chain of data protection responsibility
- A procedure for responding to user rights requests
- Rules on storing personal data
- A summary of your company's data breach notification procedure
- Rules and guidance on disclosing personal data to third parties
- Requirements around staff data protection training