Data protection policies and procedures

Why your company needs them, and what they should include

Blue padlocks surrounding a red unlocked padlock

Regardless of which industry within which you operate, you must ensure that your organisation has devised a set of formalised data protection policies and procedures. Doing so will ensure that you’re fully capable of protecting the information of employees, partners, customers, and all other parties whose data you hold.

The Data Protection Act 1998 was the main data protection-centric legislation in the UK until the introduction of GDPR, which came into force in May 2018. The EU regulations formed the basis of the Data Protection Act 2018, which contained many new provisions designed to modernised data protection standards.

If your organisation fails to comply with the regulations, it may be investigated by the Information Commissioner’s Office (ICO), and be subject to punitive action, ranging from a directive to fines large enough to see the owners of massive multinational corporations wince.

These laws exist to protect individuals from the threat of their personal being misused or seized by cyber criminals. With technology becoming increasingly available and more advanced, and with more of our lives taking place online, these risks are only escalating. Following the law should be enough of an incentive to establish a clear set of data protection policies and procedures, but there are plenty of other reasons why you would want to do so too.

Why a company needs data protection policies and procedures

It's not only important that your business has a formalised set of policies and procedures in place to ensure you meet requirements as set out under GDPR, but it also contributes massively to the general information security regime of your business.

Meeting the requirements as set out under the latest data protection regulations is essential, and your organisation could face fines of 20 million up to 4% of annual turnover if found not to be compliant. Beyond that, however, not having policies and procedures in place could mean that you risk reputational damage. Employees, for example, might be disinclined from seeking opportunities with you, and customers could be reluctant to seek out your services if you've carved a reputation for not taking data protection seriously.

What a data protection policy and procedure should contain

Your company's data protection policy and procedure should be created to suit your specific business. For example, you will need to state what your employee data policies and procedures are, but there's no point stating what you will do with customer data if you don't collect it.

Although the GDPR makes many changes to the DPA principles, they are in line with the original guidelines and so any policy addressing the original data legislation is a good place to start. These state data held by a company must:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected.

That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems.

The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021
Forex broker FBS leaves millions of customer records exposed
data breaches

Forex broker FBS leaves millions of customer records exposed

25 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021