Internal Data Protection Policy

Howard Freeman – 28th February, 2019

The Creation of an Internal Data Protection Policy is a good way to start your compliance journey with the General Data Protection Regulation (GDPR). As interpretation of the regulation can be complex and challenging for most people, it is a good idea to create an Internal Data Protection Policy.

Why should my company create an Internal Data Protection Policy?

The different departments or employees in your company will interpret the GDPR requirements in differently, an Internal Data Protection Policy makes it easier for employees and saves them the effort of having to understand and interpret the entire GDPR by themselves. Not only would this be costly in terms of lost productivity, it may not be successful. In addition, your business can also articulate what is expected of your people and how these requirements must be fulfilled. 

The key elements of a Data Protection Policy

Typically, the policy will have the following elements:

• Purpose of the policy: This part of the policy describes why this Internal Data Protection Policy is being used, and why it is important for the company. Consider this more like the privacy vision of your company.
• Definitions of key terms: This part of the Internal Data Protection Policy defines key terms like personal data, special categories of data, etc., in the context of the company.
• Principles and purposes of processing: This part of the Internal Data Protection Policy defines the guiding principles for the processing of personal data, and the activities for which personal data can be processed. For example, this may include mapping the company activities to legitimate purposes defined in GDPR.
• Key requirements or controls: This part of the policy lists the key requirements that should be fulfilled in order to be considered compliant with the policy. To ensure that employees and managers can validate the fulfilment of a requirement, a set of controls can be provided. For example, to fulfil the requirements of lawful processing, a control should be implemented to ensure that all processing activities are listed and mapped to one of the legitimate purposes defined in the policy.
• Key roles and their responsibilities: This part of the policy defines the key roles for your team and the stakeholders for ensuring compliance with this policy. This section also outlines the responsibilities of each of the key stakeholders. It is important to note that the responsibilities of employees must also be explicitly stated, so that the employees feel like a part of it. This is the start of creating a culture of awareness, better known as a GDPR Culture.
• Appointment of Lead Supervisory Authority: This part of the Internal Data Protection Policy policy states who is considered (from the perspective of your company) to be the Lead Supervisory Authority. If your company is based in multiple locations, or operates as different legal entities, it should be specified how the management intends to manage the relationships with different Supervisory Authorities. In the UK, this is the Information Commissioners Office, www.ico.org.uk

Having an internal Data Protection Policy within a company can be a huge advantage. You must not underestimate the value of this of having such a policy, as it allows all employees and external staff of your company to understand what is to be done, and why. 

What is more important, as part of the approval process, it will allow your senior management to be aware of the company’s obligations in relation to the GDPR. So, if you can do so, create your Internal Data Protection Policy today, If not, see the services we offer and call us if we can help you create your policy and help on your journey to GDPR Compliance.