Welcome, spec!
In this post we want to set the data protection compliance groundwork applicable for all organizations. To meet the requirements of data protection regulation, namely the use of organizational measures, the following policies should be implemented. Based on 80/20 Pareto’s principle, these policies can cover most of the compliance requirements.
Number #1 – Data Protection Policy
Many do just a copy/paste from GDPR and guidelines. Maybe it works for some (it rarely does tho), but the smart way to draft a ‘Data Protection Policy’ is to talk about ‘Data Protection’ in the context of your business.
For example, instead of providing the full legal definition of ‘Personal Data’ with examples provided in the GDPR, just stick with the actual examples of personal data that your company collects and uses. No point in saying that personal data can be physiological or genetic information about someone if the company operates an e-commerce site and has nothing to do with data about genetics.
Number #2 – Information Security Policy
There are many approaches to a proper info-sec policy. Again, use one that actually suits your company in regards of usability and continuity. This policy is a must-have in the point of view of supervisory authorities, auditors and for many B2B clients who use the company’s services.
In practice, ‘Access Management’ is the one subsection of information security which has most impact to privacy compliance on a daily basis. Other info-sec topics are important as well and don’t deserve any less attention, but if and who can access data are core issues and relevant for most organizations.
Number #3 – Third Party Management Policy
Sometimes included in the ‘Information Security Policy’ but usually done separately (depending on the context of the company, stakeholders and common third parties).
There are many info-sec links here, but from the privacy point of view, a proper ‘Third Part Management Policy’ can be a force multiplier for privacy specs. This policy can relate to Data Processing Agreements (GDPR article 28), as well as Data Transfers (GDPR section V). This also affects keeping the records of processing activities up to date (Article 30) as well as fulfilling data subject rights if personal data is sent to third parties.
Thanks for reading! Check out our blog for more privacy related posts. We’ll soon make our ‘Tools’ available, including related checklists which can help you draft proper policies for your organization.