Data Protection Policies GDPR: Any processing of personal data must be fair and lawful. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.
The principle of transparency reigns. An internal Data Protection Policy is therefore a useful tool for companies to ensure that their employees are properly trained and follow the GDPR requirements. The purpose of a Data Protection Policy is to explain to employees what can and cannot be done with the data they are handling and outline the consequences of a policy breach.
Data Protection Policies are not required for all situations but should be used ‘where proportionate in relation to processing activities’ (Article 24(2)).
While the GDPR does not specify the required contents of a data protection policy, there are best practices that should be considered in its design. These include:
- using concise and understandable language that speaks to the recipients;
- considering how metrics may be used to demonstrate results; and,
- ensuring tasks are achievable, realistic, relevant and timely.
A Data Protection Policy clearly sets out the obligations of a business as a data controller and lays down a number of organisational and procedural measures to ensure compliance with the GDPR, applying not only to the business itself, but also to all employees, contractors, agents and any other third parties working on the business’s behalf. The rights and procedures for data subjects are also usually detailed.
A Data Protection Policy can be geared more towards personal data relating primarily to parties outside of the organisation such as customers, or personal data relating to employees. The latter is likely to deal with a few more areas e.g. employee health records, benefits, trade unions, monitoring and employee records and retention.
Data Protection Policies GDPR
CloudLegal can provide you with further advice if you need it!
Tel: 0800 6894168