Data protection policies and procedures

Why your company needs them, and what they should include

Blue padlocks surrounding a red unlocked padlock

Putting together a formal set of data protection policies and procedures is essential, no matter the size of your company or the sector it operates within. This major step in data protection compliance is crucial to making sure your business is built to protect the information you process on employees, customers, partners, and all other parties whose data may come into its possession.

Until recently, the primary legislation outlining the rules for holding and processing data was the Data Protection Act (DPA) 1998. This was effectively replaced with the EU’s GDPR, which came into force in May 2018, although enforcement action is still taken under the 1998 act for violations committed prior to this date.

The EU regulations also fed into the Data Protection Act 2018, which works in tandem with GDPR in the UK. This crucial piece of legislation includes provisions drafted to modernise data protection standards and deviates only slightly from GDPR in some areas, such as adding more legal exemptions for processing sensitive data.

Should your organisation come to violate data protection laws, it could find itself under investigation by the Information Commissioner’s Office (ICO), with punishments for concrete infringements ranging from enforcement notices to massive fines. Devising and formalising a set of data protection policies and procedures, therefore, is key to ensuring compliance.

The latest generation of data protection laws was drafted to bolster safeguards for citizens, or data subjects, in the age of social media and mass data processing. Following the law should serve as enough of an incentive for businesses to implement data protection policies, but there are more reasons beyond simply legal compliance.

Why a company needs data protection policies and procedures

Your business must have a formalised set of policies and procedures in place, as a minimum, to ensure it meets the requirements as set out under GDPR and the DPA 2018. Having the right systems and mechanisms in place for handling data, however, also massively improves an organisation’s security regime.

Related Resource

IT Pro 20/20: What the EU's new AI rules mean for business

The 17th issue of IT Pro 20/20 considers the effect of new regulations on the IT industry

IT Pro 20/20 Issue 17 - What the EU's new AI rules mean for businessDOWNLOAD NOW

Meeting the requirements as set out under the latest data protection regulations is essential, and your organisation could face fines of 20 million up to 4% of annual turnover if found not to be compliant. Beyond that, however, not having policies and procedures in place could mean that you risk reputational damage. Employees, for example, might be disinclined from seeking opportunities with you, and customers could be reluctant to seek out your services if you've carved a reputation for not taking data protection seriously.

What a data protection policy and procedure should contain

Your company's data protection policy and procedure should be created to suit your specific business. For example, you will need to state what your employee data policies and procedures are, but there's no point stating what you will do with customer data if you don't collect it.

Although the GDPR makes many changes to the DPA principles, they are in line with the original guidelines and so any policy addressing the original data legislation is a good place to start. These state data held by a company must:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected.

That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems.

The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021