Data Protection Policy: 8 GDPR Compliance Tips
Duly registered and state-recognized companies are required to comply with national laws on cybersecurity. However there are also internationally-recognized regulations that qualified business organizations follow. An example of which is the General Data Protection Regulation (GDPR).
Covered companies were quick to update their respective protection policy when GDPR came into existence. In sum, GDPR is a significant piece of European legislation, aimed at protecting personal data of data subjects in the European Union (EU) by regulating data controllers and processors (individuals or organizations). Verily, Singapore as one of EU’s largest trading partner in ASEAN, falls under GDPR’s jurisdiction.
In this article, we will give you tips on how to come up with a GDPR-compliant data protection policy (DPP). But first:
What is a Data Protection Policy?
An organization’s DPP is an internal document drafted by its constituents to establish the company-wide data protection policies. Especially among those who handle or process client data, the DPP is made available to all employees. At times, it is also made public.
The DPP is seldom required by law. However, it is a recommended step for any business organization that wishes to demonstrate adherence to GDPR regulations. It is the most practical way to ensure that you are implementing your company’s data protection practices, while training your employees to exercise the same.
With that being said, here are 8 tips (specifically general clauses) that you might consider when drafting your company’s data protection policy:
1. Introduction and Scope of Policy
A good DPP should begin with an introduction of the purpose/significance of the document and its relevance to the context of the organization. This would prime the reader (employees) on the overview of what the policy is all about and how they should approach the sections therein.
A word or set of words, as used in different organizations, may have alternative meaning depending on the context. To avoid potential misunderstandings among your employees, it is important to include a section wherein you define these terms, especially the highly technical ones.
3. Statement of GDPR Principles
This section should be dedicated on reiterating the set of principles that governs GDPR regulations. Your DPP should clearly recount each of the GDPR requirements for legal data processing.
4. Lawfulness of Processing Data
The GDPR requires that your company’s data processing must fall under of its six legal bases. As preparation, you should audit your organization first and determine on which category you belong. Remember that processing data may differ according to which legal basis the personal information falls under; as such, your employees who handle these confidential data should fully understand which basis it is being processed under.
5. Roles and Responsibilities
The Roles and Responsibilities clause will lay the duties each of your employees should observe relevant to your company’s data protection policy. This section confers accountability to your members when handling and processing customer data.
6. Data Breach Protocol
This section may be considered as the most important clause in your data protection policy. It will guide every person in your organization on what steps to take should you experience a case of data breach. These procedures are scrutinized whenever there are legal allegations of inadequate response to data breach imputed against your organization. As others put it, “Teaching your employees to address breach situations quickly and judiciously could be the difference between a fine and a warning.”
7. Security and Record Keeping
This clause is suggested to contain your company’s security measures, data retention practices, and data records policy. You should guarantee the safety of customer information that circulates around your system and stored in your database. As a tip, you may describe both GDPR requirements and incorporate your organization’s own standards pertinent to data security.
8. Contact Information
Your employees should know the right person to call if they have any question, concern, or suggestion about data protection. This clause should contain the contact information of your point-person serving as the overseer of your data protection policy implementation. In most business organizations, this is the Data Protection Officer, who may be in-house or outsourced.
Lastly, your business organization has the freedom to stipulate any other pertinent matter that concerns data security within your DPP. It is also a good practice to have quarterly audit in order to check your adherence to the recent GDPR requirements and regulations. As previously mentioned, consider collaborating with an Data Protection Officer whenever you wish to launch, implement, amend, or alter your data protection policy.
In totality, your GDPR compliance and cybersecurity is only as good as how well you drafted and implemented your company’s data protection policy.
Also Read: When to Appoint a Data Protection Officer