The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]
Data Protection Policy – What is it?
A Data Protection Policy is a policy that outlines how a company uses, manages, secures and protects their data. It’s main objective is to ensure the security of the data it handles and maintains. The policy contains information on what kind of data you collect and store, how your company handles this data, it’s processing and any breaches in security.
On this page
Do I Need a Data Protection Policy?
Before we answer this question, it’s imperative to ask do you need a Data Protection Officer? as the answer to this question will determine the answer to the original question.
A Data Protection Officer (DPO) is required if:
- you are a public authority or body
- you carry out regular large scale monitoring of individuals
- your companies core activities are processing of data which is related to criminal offences and/or convictions.
If your company requires a DPO then you will also require a Data Protection Policy so that your DPO can demonstrate compliance with GDPR principles. If you do not need to appoint a DPO then you are not required to have a Data Protection Policy in place.
Main Elements Of a Data Protection Policy
The Data Protection Policy for your company needs to include the following elements:
- The Purpose of the policy– description of the reason for the policy and the importance it holds in the company. Consider this section as an outline of your companies vision for data privacy.
- Definitions– defining the key terms of the policy. The GDPR encourages policies to be written in as simple, clear language as possible. This list of definitions helps people who are not familiar with terms like data subject, data controller or territorial scope for instance.
- Scope of Data Protection-outlines the type of data your company protects and who this policy is directed towards.
- Data Protection Methods– what safeguards the company has in place to help protect personal and sensitive data once it’s collected. A guide for the individual and departments.
- The Principles– outlining the major principles for processing personal data collected and stored by your company.
- Data Subject Rights– List and define the eight subject rights of individuals. There should also be a statement that your company will adhere to these.
- Roles and Responsibilities– outlining the key roles and responsibilities of staff members and the data protection and processing officer if you have one.
- Accountability– is the compliance with and responsibility for the Data Protection Principles.
- Legal Requirements for Data Protection– data protection principles to be followed by all staff who are handling personal data.
- Reporting Data Breaches-ensure that your company understands what a data breach is and has a process in place to report any data breaches that require being reported.
- Training– If your company trains staff in relation to Data Protection policies then it should be added to your policy.
1. The Purpose of the Policy
This is the introduction to the policy. It is an outline as to what the policy covers and what the purpose of it is. This section outlines the company’s data privacy and protection vision.
Axiomatic have outlined clearly what and who (both their clients and employees) their Data Protection Policy covers. They have stated that the policy will cover how personal data will be processed, handled and stored.
A lot of the terms in the Data Protection Policy may be unfamiliar to your staff. Terms like “data protection officer”, “data subject” and even “personal data” are unfamiliar terms to those who have little or no experience with Data protection laws. Having a list of definitions of the key terms will help your staff to understand the policy.
HSE have chosen to list the definitions in the Appendix of their Data Protection Policy. They have a very comprehensive list of definitions, which is what needs to be found in a comprehensive Data Protection Policy.
3. Scope of Data Protection
The scope of the Scope of the Data Protection Policy contains information about who the policy is aimed at as well as the type of data the company is referring to.
Solvay have clearly stated that the terms of their policy are aimed at agents and contractors that handle and process personal information on their behalf. The also state what personal information the policy is related to. This is a great example of a well written scope in a Data Protection Policy.
4. Data Protection Methods
What Data Protection methods does your company employee to safeguard the personal information it handles? The Data Protection or Data Security section of the Data Protection Policy is where the companies security measures are listed. What procedures does your staff need to follow as well as what data protection have you got in place?
As you can see in the above example taken from the Data Security section in the Hope Learning Trust York Data Protection Policy, they have clearly listed what procedures their staff need to follow, including banning of the use of personal devices. The policy is written clearly and concisely as recommended by the GDPR.
5. The Principles
The GDPR set out a set of Data Protection Principles that your company needs to comply with. The Principles section of the Data Protection Policy is where you set out the principles before explaining how your company implements them.
The NHS lists the GDPR principles that it’s Data Protection Policy follows, so they are compliant with the GDPR.
6. Data Subject Rights
The Data subject is your customers, clients and/or users. In this section of the Data Protection Policy the rights of the subject needs to be listed to comply with the GDPR.
Daimler have listed each of the data subject rights that are necessary to be GDPR compliant. It is clear what the rights of their customers are and what action is required in each situation.
7. Roles and Responsibilities
The roles and responsibilities section outlines what the roles and responsibilities of staff members and the Data Protection and Privacy Officer (if you have one) are.
In the above example, Solvay clearly state that all employees have a responsibility to assist in the protection of Personal Information. Solvay do have a Data protection and Privacy Office, and this section states what their responsibilities are. They have included what actions may be taken should their employees not comply with this.
The accountability section of the Data Protection Policy outlines that the company must be responsible for and compliant with the Data Protection Principles.
As you can see in the above example, from The University College of Cork’s Data Protection Policy, they have a data controller. Their policy lists what the data controller is accountable for in order to comply with the GDPR.
9. Legal Requirements for Data Protection
Under the GDPR their are six legal requirements for data protection. These requirements should be included in your Data Protection Policy along with any additional company requirements.
The above example from IGI is a good example of what this section of your Data Protection Policy should read like. They have listed the six lawful bases for processing personal data to be compliant with the GDPR. They have then added how these bases are to be incorporated into the processing of their subjects personal data.
10. Reporting Data Breaches
What is a data breach?
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data“.
It is crucial that your company has a data breach policy in place so that you can report it as quickly as possible.
However not all data breaches require reporting. There are a few points you need to consider before you report the breach:
- does the breach pose a risk to people?
- does the breach pose a risk to peoples rights and freedom?
If there is a likely risk then you need to contact ICO and if the risk is unlikely then you do not.
For a risk assessment check you can take the self assessment questionnaire on the ICO website.
As you can see from the example above The University of Sussex has a comprehensive Reporting Data Breaches section in their Data Protection Policy. They define what a breach is and outline the steps that are to be taken if one occurs.
Should your company implement training on data protection then this should be added to your Data Protection Policy. Training is advisable to ensure staff are fully aware of what is required from them and how important the protection of your customers personal data is.
The University of Birmingham requires all of their staff to complete a training course in data protection and this is written into their Data Protection Policy as shown above.
The main sections to be included in your Data Protection Policy are:
- The Purpose of the Policy
- Scope of Data Protection
- Data Protection Methods
- The Principles
- Data Subject Rights
- Roles and Responsibilities
- Legal Requirements for Data Protection
- Reporting Data Breaches
A Data Protection Policy outlines the way in which your company uses, manages, secures and protects their data.
If your company or organisation is required to hire a DPO then you also require a Data Protection Policy to help your DPO show that they can demonstrate compliance with GDPR.