Data protection policies and procedures

Why your company needs them, and what they should include

Whatever your business, it's essential that your company has some kind of formal data protection policies and procedures in place to guarantee you are sufficiently protecting your customers, partners, employees, and any other individual you keep data about.

Although the Data Protection Act (DPA) has protected individuals and consumers since 1998, the General Data Protection Regulation (GDPR), which came into force in May last year, takes this to a whole new level. This legislation applies to any company that has dealings with EU citizens - even if those companies are not headquartered in Europe.

The DPA has also undergone significant change and its latest update places it in line with many of the same policies of the GDPR. If your organisation does not comply with the law, it could face fines hefty enough to take any small or medium business into administration.

Both data laws exist to protect citizens from having their private data misused, which is an unfortunate part of modern life as so much information is digitised. If sticking to the GDPR and DPA isn't enough to convince you to develop data protection policies and procedures, our roundup of why you should have them and what they should contain should convince you otherwise.

Why a company needs a data protection policy and procedure

Not only is it vital that your company has data protection policies and procedures to meet the Data Protection Act guidelines, but it's imperative that you have such a document or documents available for everyone as part of the GDPR, which came into force for the entirety of the EU in May 2018.

If you aren't complying with the new regulations, your business can be charged 4% of its annual turnover, or up to 20 million.

What a data protection policy and procedure should contain

Your company's data protection policy and procedure should be created to suit your specific business. For example, you will need to state what your employee data policies and procedures are, but there's no point stating what you will do with customer data if you don't collect it.

Although the GDPR makes many changes to the DPA principles, they are in line with the original guidelines and so any policy addressing the original data legislation is a good place to start. These state data held by a company must:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

It's important your policy addresses each of these points, and explains how the organisation will guarantee each is respected.

That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems.

The GDPR also adds a new principle in - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google removes 17 apps infected with evasive ‘Joker’ malware
malware

Google removes 17 apps infected with evasive ‘Joker’ malware

28 Sep 2020