Does your company have a Data Protection Policy?


This policy is a statement that defines how your company will protect the personal data it collects.

A Data Protection Policy is a set of rules, guidelines, and principles that informs how exactly you will ensure the ongoing compliance with every data protection law.

Please, do not confuse it with what is commonly known as a Privacy Notice or a Privacy Policy, because a Data Protection Policy is not meant to be read by a data subject. If you should inform people about how their data is being handled and used, the proper channel to do this is your Privacy Notice.

You might already have a few organisational policies that cover related areas like:-

  • Management and retention of records,
  • Acceptable usage of IT systems,
  •  Duty of safeguarding and confidentiality,
  • Security of the information,
  • Risk management.

Your Data Protection Policy does not necessarily replace neither of the above, though it is worth analysing how each of these policies are in line with your data protection.

The GDPR does not explicitly states that every data controller has to have a written policy. However, depending on the scale of your processing inside your organisation,it could become necessary to have one. In the majority of the cases, it is a good idea to have one because it helps you meeting your obligations under the law.

The GDPR's article 24 states that the data controller must put in place the measuresto properly demonstrate and ensure that its processing is compliant with the GDPR. Whenever possible, these should include the:

While it could be possible to have non-written policies, it would be very unusual practice. It also doesn't do much for helping demonstrate how concretely your organisation takes measures to ensure GDPR compliance. A written document helpsyour company to address deficiencies in your organisational and technical measures, ensuring good practice as well as compliance. This is a big part of achieving the Accountability principle of GDPR.

Funders might require you to have a written policy and to provide it during your process of applying for funding.

In some other cases, an organisation could ask you to demonstrate how you are currently compliant with the data protection laws, for example an organisation that will share data with yours.

On one hand, you could certainly respond to each of these requests separately. On the other hand, it would be faster, and more efficient, to demonstrate that you already have a written data protection policy in place.

Demonstrating you have an effective policy is also be considered if there is an Information Commissioner's Office investigation.

It is not necessary to share publicly your Data Protection Policy, as it is intended for internal use in your own organisation to follow and implement. If it becomes appropriate and necessary to share it with others, it is simple to do so. Just make sure that there is no identifying information that could present you a cyber security risk.

A Data Protection Policy should include your organisation's the high-level rules and principles. It can also touch on practices and procedures that staff should follow, butit might be better to set out detailed procedures separately.