Data Protection Toolkit - Data Protection Policy
A Data Protection Policy is a statement that sets out how your organisation protects personal data.
It is a set of principles, rules and guidelines that informs how you will ensure ongoing compliance with data protection laws.
You may already have organisational policies covering related areas such as:
- records management and retention
- acceptable use of IT systems
- duty of confidentiality, safeguarding
- information security
- risk management
A Data Protection Policy doesn't necessarily replace any of these, though it is worth looking at how these policies align with your data protection.
It is not explicitly stated in the GDPR that every data controller must have a written policy. But, depending on your organisation and the scale of your processing, it may be necessary to have one. In most cases, it would be a good idea to have one as it helps you to meet your obligations under the law.
Article 24 of the GDPR states that the controller must put in place appropriate "measures to ensure and demonstrate" that its processing complies with the GDPR. Where proportionate, this should include the:
...implementation of appropriate data protection policies
Article 24 GDPR
While it may be possible to have policies that aren't written down, it would be unusual. It also doesn't go far in helping to demonstrate how your organisation is taking measures to ensure compliance. A written document will help you to address deficiencies in your technical and organisational measures, ensuring compliance as well as good practice. This is an important part of achieving the GDPR's Accountability principle.
Funders may require you to have a policy and to provide in the process of applying for funding.
In other cases, another organisation could ask you to show how you are compliant with data protection laws, such as an organisation that will be sharing data with you.
While you could respond to these requests separately, it would be better, and easier, to show that you already have a policy in place.
Proving that you have an effective policy in place will also be taken into consideration in the event an investigation by the Information Commissioner's Office.
You don't need to share your Data Protection Policy publicly, as it is for your own organisation to follow and implement. If it's necessary and appropriate to share with others then you can do so—just make sure that there's no information in it that would present a cyber security risk if made available in this way.
We have shared NICVA's Data Protection Policy by way of example and because it's part of our Staff Handbook, all of which is available online. Please keep in mind that this has been drafted to suit our own practices and requirements. We make no claims for how effective it will be in the case of your own organisation. You will need to apply judgement about what needs to be present in your own policy.
There is no standard content that a data protection policy must have.
It should include high-level principles and rules for your organisation, and can touch on some of the procedures and practices that staff should follow.
The policies covered should be:
- appropriate to your organisation's size, culture and operations
- easy for staff—and other readers—to understand and follow
- possible to implement in your organisation
- reviewed on a regular basis and where necessary
You could address how your organisation makes decisions about the management of personal data. For example, it might refer to governance and oversight, including who undertakes the task of reviewing practices and ensuring the policies are being followed. You can set out how this fits in to your governance and management structures.
You don't need to describe every procedure in great detail.
For example, while the policy might touch on how the data minimisation principle applies to collecting data from beneficiaries, it doesn't need to detail exactly what data should and shouldn't be collected in every case. This is something that might be including in your data processing register.
It might be more appropriate to set out detailed procedures in a separate document. For example, you might have a separate document outlining your procedure for dealing with Subject Access Requests which would be informed, and referred to, by your Data Protection Policy.
Some suggestions of what to include in your policy:
- Your organisation's general approach to data protection
- How you will ensure that lawful processing is carried out
- How the principle of data minimisation is to be met
- Governance of data protection and responsibility for oversight
- Role of the Data Protection Officer (if applicable)
- How data processing practices are reviewed
- How your organisation demonstrates its accountability
- How the rights of data subjects are protected
- Technical and organisational measures to ensure systems security
- How staff will be trained and supervised in handling personal data
- Where data processors are to be used and how they are selected
- How the policies apply to external consultants, contractors, etc
- Obligations of staff to integrity and confidentiality
- Marketing and ePrivacy matters (issues covered by PECR)
- Good practice and practical steps for staff to follow (e.g. what to do when sending bulk emails)
This is neither a complete nor an exhaustive list. You can decide what you need to include to make it work for you.
There is, of course, no point in having a written policy if it is not actually implemented and embedded in your practices. It's little use stating that data transfers will be encrypted, for example, if you have no plan or resources to achieve this.
The Data Protection Policy should form part of your organisation's policies and governance, and be treated in the same way.
It should be introduced to staff and they should read it. All staff should be required to adhere to it, for example, as part of your staff handbook.
For ease of reference and depending on the length of the Policy, it might be useful to provide staff with a summary covering the main points or the practices that they need to follow.
Provide staff with appropriate training and supervision when you first implement the Policy. Staff training is a necessary element of effective organisational data protection. Ensure that staff (including any volunteers or sessional workers) receive training in the Policy, relevant to their individual roles and ways of working. You should also make sure to introduce new members of staff to the policy and the practices as part of the induction process.
If you've decided that external contractors and partner organisations will be bound by the policy itself, you should obviously provide them with a copy and ensure that there is an appropriate contract clause.