IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Data protection policies and procedures

Why your company needs them, and what they should include

No matter what sector your company operates in or the size of your business, it is essential to establish a formal set of data protection policies and procedures.

Data protection compliance is a crucial step in making sure your business is constructed to protect all the information it processes. This includes data on partners, employees, customers, and all other parties associated with your business.

Until recently, the Data Protection Act (DPA) 1998 was the primary legislation for holding and processing data, before it was replaced in 2018 by the EU's GDPR, alongside the Data Protection Act 2018. However, enforcement action is still taken under the 1998 act for any violations committed before the commencement of GDPR (May 2018). 

If your company breaks any of the data protection laws, it will potentially face an investigation from the Information Commissioner’s Office (ICO), which could also hand out punishments ranging from hefty fines to enforcement notices. It's for these reasons that a business must ensure compliance with a formalised set of data protection policies and procedures.

GDPR, and the Data Protection Act 2018 as a result, was made to improve safeguards for citizens, or data subjects, in the modern age of mass data processing and social media. Staying on the right side of this legislation should serve as enough of an incentive for organisations to bring in data protection policies, but there are other reasons besides simply legal compliance.

Why does a company need data protection policies and procedures?

Your business must have a formalised set of policies and procedures in place, as a minimum, to ensure it meets the requirements as set out under GDPR and the DPA 2018. Having the right systems and mechanisms in place for handling data, however, also massively improves an organisation’s security regime.

Meeting the requirements as set out under the latest data protection regulations is essential, and your organisation could face fines of 20 million up to 4% of annual turnover if found not to be compliant. Beyond that, however, not having policies and procedures in place could mean that you risk reputational damage.

Employees, for example, might be disinclined from seeking opportunities with you, and customers could be reluctant to seek out your services if you've carved a reputation for not taking data protection seriously.

What should a data protection policy contain?

Your company's data protection policy and procedure should be created to suit your specific business. For example, you will need to state what your employee data policies and procedures are, but there's no point stating what you will do with customer data if you don't collect it.

Although the GDPR makes many changes to the DPA principles, they are in line with the original guidelines and so any policy addressing the original data legislation is a good place to start. These state data held by a company must:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected.

Related Resource

Why smart businesses view a data fabric as an inevitable approach to becoming data driven

Adopting a data-driven strategy for success

Whitepaper cover with title and grey square graphic, green top banner and Hurwitz logoFree Download

That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems.

The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Europe's first autonomous petrol station opens in Lisbon

Europe's first autonomous petrol station opens in Lisbon

23 May 2022