Data protection policies and procedures
Why your company needs them, and what they should include
Putting together a formal set of data protection policies and procedures is essential, no matter the size of your company or the sector it operates within. This major step in data protection compliance is crucial to making sure your business is built to protect the information you process on employees, customers, partners, and all other parties whose data may come into its possession.
Until recently, the primary legislation outlining the rules for holding and processing data was the Data Protection Act (DPA) 1998. This was effectively replaced with the EU’s GDPR, which came into force in May 2018, although enforcement action is still taken under the 1998 act for violations committed prior to this date.
The EU regulations also fed into the Data Protection Act 2018, which works in tandem with GDPR in the UK. This crucial piece of legislation includes provisions drafted to modernise data protection standards and deviates only slightly from GDPR in some areas, such as adding more legal exemptions for processing sensitive data.
Should your organisation come to violate data protection laws, it could find itself under investigation by the Information Commissioner’s Office (ICO), with punishments for concrete infringements ranging from enforcement notices to massive fines. Devising and formalising a set of data protection policies and procedures, therefore, is key to ensuring compliance.
The latest generation of data protection laws was drafted to bolster safeguards for citizens, or data subjects, in the age of social media and mass data processing. Following the law should serve as enough of an incentive for businesses to implement data protection policies, but there are more reasons beyond simply legal compliance.
Why a company needs data protection policies and procedures
Your business must have a formalised set of policies and procedures in place, as a minimum, to ensure it meets the requirements as set out under GDPR and the DPA 2018. Having the right systems and mechanisms in place for handling data, however, also massively improves an organisation’s security regime.
IT Pro 20/20: What the EU's new AI rules mean for business
The 17th issue of IT Pro 20/20 considers the effect of new regulations on the IT industryDOWNLOAD NOW
Meeting the requirements as set out under the latest data protection regulations is essential, and your organisation could face fines of €20 million up to 4% of annual turnover if found not to be compliant. Beyond that, however, not having policies and procedures in place could mean that you risk reputational damage. Employees, for example, might be disinclined from seeking opportunities with you, and customers could be reluctant to seek out your services if you've carved a reputation for not taking data protection seriously.
What a data protection policy and procedure should contain
Your company's data protection policy and procedure should be created to suit your specific business. For example, you will need to state what your employee data policies and procedures are, but there's no point stating what you will do with customer data if you don't collect it.
Although the GDPR makes many changes to the DPA principles, they are in line with the original guidelines and so any policy addressing the original data legislation is a good place to start. These state data held by a company must:
- Be obtained and processed fairly and lawfully.
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and kept up to date.
- Not be kept longer than is necessary for that purpose.
- Be processed in accordance with the data subject rights.
- Be kept safe from unauthorised access, accidental loss or destruction.
- Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.
It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected.
That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems.
The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download