Data Protection Policy – What is it?

You know you need to protect your users data and have a Privacy Policy in place which outlines how you do this. But what about a Data Protection Policy? and no, it’s not the same thing.

A Data Protection Policy is a policy that outlines how a company uses, manages, secures and protects their data. It’s main objective is to ensure the security of the data it handles and maintains. The policy contains information on what kind of data you collect and store, how your company handles this data, it’s processing and any breaches in security.

data protection policy

The Difference Between a Data Protection Policy and a Privacy Policy

A Data Protection Policy is an internal policy for the handling corporate data so employees are aware of and can follow best practices. Where as a Privacy Policy is a policy for your users which outlines how you collect, use, manage and store their personal data. The Privacy Policy is placed on your website, the Data Protection Policy is not.

Do I Need a Data Protection Policy?

Before we answer this question, it’s imperative to ask do you need a Data Protection Officer? as the answer to this question will determine the answer to the original question.

A Data Protection Officer (DPO) is required if:

  • you are a public authority or body
  • you carry out regular large scale monitoring of individuals
  • your companies core activities are processing of data which is related to criminal offenses and/or convictions.

If your company requires a DPO then you will also require a Data Protection Policy so that your DPO can demonstrate compliance with GDPR principles. If you do not need to appoint a DPO then you are not required to have a Data Protection Policy in place.

Main Elements Of a Data Protection Policy

The Data Protection Policy for your company needs to include the following elements:

  1. The Purpose of the policy– description of the reason for the policy and the importance it holds in the company. Consider this section as an outline of your companies vision for data privacy.
  2. Definitions– defining the key terms of the policy. The GDPR encourages policies to be written in as simple, clear language as possible. This list of definitions helps people who are not familiar with terms like data subject, data controller or territorial scope for instance.
  3. Scope of Data Protection-outlines the type of data your company protects and who this policy is directed towards.
  4. Data Protection Methods– what safeguards the company has in place to help protect personal and sensitive data once it’s collected. A guide for the individual and departments.
  5. The Principles– outlining the major principles for processing personal data collected and stored by your company.
  6. Data Subject Rights– List and define the eight subject rights of individuals. There should also be a statement that your company will adhere to these.
  7. Roles and Responsibilities– outlining the key roles and responsibilities of staff members and the data protection and processing officer if you have one.
  8. Accountability– is the compliance with and responsibility for the Data Protection Principles.
  9. Legal Requirements for Data Protection– data protection principles to be followed by all staff who are handling personal data.
  10. Reporting Data Breaches-ensure that your company understands what a data breach is and has a process in place to report any data breaches that require being reported.
  11. Training– If your company trains staff in relation to Data Protection policies then it should be added to your policy.

1. The Purpose of the Policy

This is the introduction to the policy. It is an outline as to what the policy covers and what the purpose of it is. This section outlines the company’s data privacy and protection vision.

This image has an empty alt attribute; its file name is Screen-Shot-2020-05-29-at-2.35.37-pm-1024x654.png
The Introduction to Axiomatic’s Data Protection Policy

Axiomatic have outlined clearly what and who (both their clients and employees) their Data Protection Policy covers. They have stated that the policy will cover how personal data will be processed, handled and stored.

2. Definitions

A lot of the terms in the Data Protection Policy may be unfamiliar to your staff. Terms like “data protection officer”, “data subject” and even “personal data” are unfamiliar terms to those who have little or no experience with Data protection laws. Having a list of definitions of the key terms will help your staff to understand the policy.

Part of the list of definitions in HSE’s Data Protection Policy

HSE have chosen to list the definitions in the Appendix of their Data Protection Policy. They have a very comprehensive list of definitions, which is what needs to be found in a comprehensive Data Protection Policy.

3. Scope of Data Protection

The scope of the Scope of the Data Protection Policy contains information about who the policy is aimed at as well as the type of data the company is referring to.

Solvay’s Scope Clause

Solvay have clearly stated that the terms of their policy are aimed at agents and contractors that handle and process personal information on their behalf. The also state what personal information the policy is related to. This is a great example of a well written scope in a Data Protection Policy.

4. Data Protection Methods

What Data Protection methods does your company employee to safeguard the personal information it handles? The Data Protection or Data Security section of the Data Protection Policy is where the companies security measures are listed. What procedures does your staff need to follow as well as what data protection have you got in place?

As you can see in the above example taken from the Data Security section in the Hope Learning Trust York Data Protection Policy, they have clearly listed what procedures their staff need to follow, including banning of the use of personal devices. The policy is written clearly and concisely as recommended by the GDPR.

5. The Principles

The GDPR set out a set of Data Protection Principles that your company needs to comply with. The Principles section of the Data Protection Policy is where you set out the principles before explaining how your company implements them.

The NHS’s Data Protection Principles clause

The NHS lists the GDPR principles that it’s Data Protection Policy follows, so they are compliant with the GDPR.

6. Data Subject Rights

The Data subject is your customers, clients and/or users. In this section of the Data Protection Policy the rights of the subject needs to be listed to comply with the GDPR.

Data subjects Rights clause from Daimler’s Data Protection Policy

Daimler have listed each of the data subject rights that are necessary to be GDPR compliant. It is clear what the rights of their customers are and what action is required in each situation.

7. Roles and Responsibilities

The roles and responsibilities section outlines what the roles and responsibilities of staff members and the Data Protection and Privacy Officer (if you have one) are.

Responsibilities clause from Solvay’s Data Protection Policy

In the above example, Solvay clearly state that all employees have a responsibility to assist in the protection of Personal Information. Solvay do have a Data protection and Privacy Office, and this section states what their responsibilities are. They have included what actions may be taken should their employees not comply with this.

8. Accountability

The accountability section of the Data Protection Policy outlines that the company must be responsible for and compliant with the Data Protection Principles.

Accountability Section from the Data Protection Policy of The University College Cork, Ireland

As you can see in the above example, from The University College of Cork’s Data Protection Policy, they have a data controller. Their policy lists what the data controller is accountable for in order to comply with the GDPR.

9. Legal Requirements for Data Protection

Under the GDPR their are six legal requirements for data protection. These requirements should be included in your Data Protection Policy along with any additional company requirements.

Section for Lawful Basis for Processing from International General Insurance Group’s Data Protection Policy

The above example from IGI is a good example of what this section of your Data Protection Policy should read like. They have listed the six lawful bases for processing personal data to be compliant with the GDPR. They have then added how these bases are to be incorporated into the processing of their subjects personal data.

10. Reporting Data Breaches

What is a data breach?

A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data“.

It is crucial that your company has a data breach policy in place so that you can report it as quickly as possible.

However not all data breaches require reporting. There are a few points you need to consider before you report the breach:

  • does the breach pose a risk to people?
  • does the breach pose a risk to peoples rights and freedom?

If there is a likely risk then you need to contact ICO and if the risk is unlikely then you do not.

For a risk assessment check you can take the self assessment questionnaire on the ICO website.

University of Sussex Reporting Data Breaches Section of their Data Protection Policy

As you can see from the example above The University of Sussex has a comprehensive Reporting Data Breaches section in their Data Protection Policy. They define what a breach is and outline the steps that are to be taken if one occurs.

11. Training

Should your company implement training on data protection then this should be added to your Data Protection Policy. Training is advisable to ensure staff are fully aware of what is required from them and how important the protection of your customers personal data is.

The University of Birmingham includes a training clause in it’s Data Protection Policy

The University of Birmingham requires all of their staff to complete a training course in data protection and this is written into their Data Protection Policy as shown above.

In Conclusion

The main sections to be included in your Data Protection Policy are:

  • The Purpose of the Policy
  • Definitions
  • Scope of Data Protection
  • Data Protection Methods
  • The Principles
  • Data Subject Rights
  • Roles and Responsibilities
  • Accountability
  • Legal Requirements for Data Protection
  • Reporting Data Breaches
  • Training

A Data Protection Policy outlines the way in which your company uses, manages, secures and protects their data.

The Data Protection Policy is different from a Privacy Policy. The Protection Policy is an internal policy meant for the staff and DPO of your company. A Privacy Policy is an external policy outlining how your customers and/or users personal data is collected, used and stored by your company.

If your company or organization is required to hire a DPO then you also require a Data Protection Policy to help your DPO show that they can demonstrate compliance with GDPR.

For a comprehensive Data Protection Policy, we recommend using our privacy policy generator.

Your Legal Toolkit

Latest Articles

Privacy Policy vs Terms and Conditions

A Privacy Policy and a Terms and Conditions agreement are both legal documents that are required for any business or website. A Privacy Policy is required by law if you collect and process personal information and a Terms and Conditions agreement  is the guidelines for using your site and helps limit legal liability for you. The […]

Read More...
What is PIPEDA? 🤔

PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a federal privacy law which applies to private sector organizations in Canada who collect, use or disclose personal information for commercial activity. PIPEDA law regulates how businesses collect, use and disclose personal information from their customers for use in a commercial activity. But […]

Read More...
What is CalOPPA?

CalOPPA stands for California Online Privacy Act. It is a state law of California which came into effect in 2004 and was amended to extend it’s reach in 2012. It requires websites and online services to post a privacy policy on their websites if they collect any personally identifying information from residents in California, and […]

Read More...