Data protection policies and procedures

Mockup image with padlocks to symbolise a cyber security vulnerability
(Image credit: Shutterstock)

No matter what sector your company operates in or the size of your business, it' essential to establish a formal set of data protection policies and procedures.

Data protection compliance is a crucial step in making sure your business is equipped to protect everything it processes. This includes data on partners, employees, customers, and all other parties associated with your organisation.

General Data Protection Regulation (GDPR) GDPR preparation: 2018 data protection changes

Until recently, the Data Protection Act (DPA) 1998 was the primary legislation for holding and processing data in the UK, before it was replaced in 2018 by the EU's GDPR, alongside the DPA 2018. However, enforcement action is still taken under the 1998 act for any violations committed before GDPR came into force.

If your company breaks any of the regulations set out under these laws, it'll likely lead to an investigation by the Information Commissioner’s Office (ICO), depending on the severity. The ICO, if it finds your organisation to have violated data protection laws, could distribute punishments ranging from hefty fines to enforcement notices. It's for these reasons that all organisations must ensure they have a formalised set of data protection policies and procedures to ensure compliance.

GDPR, and the Data Protection Act 2018, was made to improve safeguards for citizen in the modern age of mass data processing and social media. Staying on the right side of these regulations won't only ensure you avoid punishment, but will improve the data hygiene within your own business. Ultimately, there are certainly incentives for adopting data protection policies and procedures beyond regulatory box-ticking.

Why does a company need data protection policies and procedures?

The information contained in this article should be considered as general advice only, and should not be used as an alternative to sound legal advice from your own legal team

Your business must have a formalised set of policies and procedures in place, as a minimum, to ensure it meets the requirements as set out under GDPR and the DPA 2018. Having the right systems and mechanisms in place for handling data, however, also massively improves an organisation’s security regime.

Meeting the requirements as set out under the latest data protection regulations is essential, and your organisation could face fines of €20 million up to 4% of annual turnover if found not to be compliant. Beyond that, however, not having policies and procedures in place could mean that you risk reputational damage.

Employees, for example, might be disinclined from seeking opportunities with you, and customers could be reluctant to seek out your services if you've carved a reputation for not taking data protection seriously.

What should a data protection policy contain?

Your company's data protection policy and procedure should be created to suit your specific business. For example, you will need to state what your employee data policies and procedures are, but there's no point stating what you will do with customer data if you don't collect it.

Although the GDPR makes many changes to the DPA principles, they are in line with the original guidelines and so any policy addressing the original data legislation is a good place to start. These state data held by a company must:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected.


Why smart businesses view a data fabric as an inevitable approach to becoming data driven

Adopting a data-driven strategy for success


That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems.

The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.

Best practices for creating a data protection policy

Truly understand GDPR and data protection

Organisations should understand the terms of these data protection laws as far as they apply to how the business uses and processes data. Now the regulations have been in play for more than four years, there are no excuses for businesses not to have understood how GDPR applies to processes and systems.

From establishing a data protection officer (DPO) to processing subject access requests (SARs), there are various measures that your business might need to take – and it helps to understand why and how.

Investigate your own organisation

Conducting a thorough probe into your business and the data it collects and processes is key to fuelling how your DPP will be framed. By speaking with the relevant stakeholders, you’ll gather the right information to form a set of guidelines around which you can mould your data protection policy to be as accurate and effective as possible.

It’s essential to understand the needs of your business and its capacity to keep data private and secure. It’s therefore important to understand various factors including how data is collected, how long it’s retained, whether data is open or access is restricted, whether it’s being used appropriately and whether there are measures in place to protect data.

Identifying sensitive data

Specifically taking inventory of all the sensitive data your business is a good way to ensure you have a handle on where exactly sensitive corporate data is being held.

The process of identifying this data should analyse any data held by the HR department as well as unstructured data that lives in company hardware, any remote servers and even email accounts. There should also be a note of all people who have access to see or edit data, as well as how much data the company holds and how old it is.

Monitor access to sensitive data

Access controls need to be managed, and nobody who doesn’t need to access data should be able to. Your business should audit who has access to what, and whether that level of access is necessary.

Only those who need to process the data for the reasons your organisation has outlined should have the privileges to access or modify the data as necessary.

Protecting data not just virtually – but physically

An often overlooked element of cyber security is actually the physical security of business assets and critical data. Who has physical access to business networks and systems matters just as much as who can access these using remote terminals.

It’s crucial to consider implementing measures like access restrictions, as well as automatically putting machines to sleep when users leave them. It might also be worth thinking about whether it’s worth restricting workers from taking workstations outside the office. Such measures can be considered alongside hard drive encryption or restricting perpipherals from connecting to any PCs.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.