An ISO 27001 data protection policy is a set of rules you use to keep your information safe. It’s like a rulebook for handling data. This policy helps you protect sensitive information from being lost or stolen. You can use it to make sure your business follows good security practices.
Table of contents
- What Is It
- Applicability to Small Business, Tech Startups, and AI Companies
- ISO 27001 Data Retention Policy Template
- Why You Need It
- When You Need It
- Who Needs It
- Where You Need It
- How to Write It
- How to Implement It
- Examples of Using It for Small Business
- Examples of Using It for Tech Startups
- Examples of Using It for AI Companies
- How the ISO 27001 Toolkit Can Help
- Information Security Standards That Need It
- List of Relevant ISO 27001:2022 Controls
- ISO 27001 Data Protection Policy Example
- ISO 27001 Data Protection Policy FAQ
What Is It
An ISO 27001 data protection policy is a set of guidelines that tells you how to manage and protect your company’s information. It is part of the larger ISO 27001:2022 standard, which is all about information security. The policy helps you keep data private and safe from harm.
Applicability to Small Business, Tech Startups, and AI Companies
This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: You can use this policy to build trust with customers and partners. It shows you care about their data.
- Tech Startups: As a startup, you handle a lot of new data. The policy helps you set up strong security from the start, so you can grow safely.
- AI Companies: You work with huge amounts of data. This policy is key for protecting the data you use to train your AI models and for keeping your intellectual property safe.
ISO 27001 Data Retention Policy Template
The ISO 27001:2022 Data Protection Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
You can find templates for an ISO 27001 data protection policy online. These templates give you a head start. You can then change them to fit your specific business needs. Using a template can save you time and help you make sure you don’t miss anything important.
Why You Need It
You need this policy because it helps you:
- Protect your data: It keeps your company’s and your customers’ information safe from being lost or stolen.
- Build trust: It shows customers and partners that you take security seriously.
- Meet legal requirements: Many laws, like GDPR, require you to protect data. This policy helps you follow those laws.
- Prevent problems: It helps you avoid data breaches and the high costs that come with them.
When You Need It
You should create a data protection policy when you first start your business or as soon as you begin handling sensitive information. It’s best to have it in place before you need it. This way, you’re prepared from day one. You also need to update it regularly as your business grows and as new threats appear.
Who Needs It
Everyone in your company who handles information needs to follow this policy. This includes:
- Employees: They need to know how to handle data safely.
- Managers: They need to make sure their teams follow the rules.
- IT staff: They need to set up the right security tools.
Where You Need It
You need to apply this policy wherever your company handles information. This includes:
- On your computers and servers: This is where your data is stored.
- In your offices: This covers how people handle paper documents.
- When you work from home: This ensures data is safe even when employees are not in the office.
How to Write It
Start by looking at what kind of data you have and how you use it. Then, write down the rules for keeping that data safe. Make sure the rules are clear and easy for everyone to understand. You can use a template to help you get started. After you write it, get feedback from a security expert to make sure it’s correct.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Data Protection Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Data Protection Policy contents page
1 Document Version Control
2 Document Contents Page
4 Data Protection Policy
4.1 Purpose
4.2 Scope
4.3 Principle
4.4 Data Protection Policy Statement
5 Legal Basis for Processing
6 Data protection principles
6.1 Lawfulness, Fairness and Transparency
6.2 Purpose Limitation
6.3 Data Minimisation
6.4 Accuracy
6.5 Storage Period Limitation
7 Personal Information Classification and Handling
8 Personal Information Retention
9 Personal Information Transfer / Transmit
10 Personal Information Storage
11 Breach
12 The Rights of Data Subjects
12.1 The right to be informed
12.2 The right of access
12.3 The right to rectification
12.4 The right to erasure (the right to be forgotten)
12.5 The right to restrict processing
12.6 The right to data Portability
12.7 The right to object
12.8 Rights in relation to automated decision making and profiling
13 Definitions
13.1 Personal Data
13.2 Sensitive Personal Data
13.3 Data Controller
13.4 Data Processor
13.5 Processing
13.6 Anonymization
14 Policy Compliance
14.1 Compliance Measurement
14.2 Exceptions
14.3 Non-Compliance
14.4 Continual Improvement - Write the ISO 27001 Data Protection Policy purpose
The purpose of this policy is the company legal and regulatory requirements under the GDPR and the Data Protection Act 2018 and the rights of data subjects.
- Write the ISO 27001 Data Protection Policy principle
Personal data is classified and treated as classification level Confidential, and all associated policies, controls and processes apply.
- Write the ISO 27001 Data Protection Policy scope
All employees and third-party users.
Personal Data as defined by GDPR. - Write your data protection policy statement
The company is classed as a Data Controller/Data Processor based on the context of the processes under the current UK Data Protection Act 2018. This policy confirms our commitment to protect the privacy of the personal information of our customers, clients, employees, and other interested parties. We have engaged in a programme of Information Security Management which is aligned to the international standard ISO27001 to ensure that the processes of personal information is conducted using best practice processes.
- Explain your legal basis for processing
Article 6 of the GDPR provides the legal basis under which Personal Data can be processed. Our legal basis for processing is documented in our Record of Processing Activities.
- Set out the data protection principles
The company is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Article 5 of the GDPR requires that personal data shall be:
Lawfulness, Fairness and Transparency
processed lawfully, fairly and in a transparent manner in relation to individuals
We have reviewed and documented the data that we control and or process and determined the legal basis for processing. We provide privacy notices and inform data subjects of their rights as well as what processing takes place, by whom, for how long and why.
Purpose Limitation
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes
We ensure we only process data for the purposes it has been collected and communicated and not for other reasons without the agreement and knowledge of the Data Subject(s).
Data Minimisation
adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
We ensure that data collected is not excessive and is appropriate to the purpose for which it was collected. We conduct Data Privacy Impact Assessments as part of our project lifecycle.
Accuracy
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay
We ensure that data is reviewed and assessed for accuracy on a periodic basis and have implemented processes for the rectification and erasure of data without undue delay.
Storage Period Limitation
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
We have implemented a data retention policy and data retention schedule in line with legal, regulatory and company needs.
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
We have implemented an information security management system in line with ISO 27001 the International Standard for Information Security. We have a culture of information security and assess security controls and requirements throughout the project life cycle. - Explain personal information classification and handling
Personal data classification and handling is in line with theInformation Classification and Handling Policy.
- Set out personal information retention
Personal data is retained and destroyed in line with the Information Classification and Handling Policy, Asset Management Policy, and the Data Retention Schedule.
- Set out personal information transfer
Personal data is transferred in line with the Information Transfer Policy and employees ensure the appropriate level of security in line with the policy and company processes.
- Set out personal information storage
Personal Information storage is in line with the Information Classification and Handling Policy, Physical and Environmental Security Policy, Cryptographic Control and Encryption Policy, Backup Policy,and the Data Retention Schedule.
- Explain what happens if a breach happens
In the event of a breach of the principles of the Data Protection Act 2018 employees inform their line manager, and /or a member of the Management Review Team and/or Senior Management and invoke the Incident Management Process.
Breaches are assessed and where appropriate and required the Data Subjects and / or the Information Commissioners Office are informed without undue delay. - Explain the rights of data subjects
The right to be informed
Individuals have the right to be informed about how we use their Personal Data.
This includes:
The name and contact details of our organisation.
The name and contact details of our representative (if applicable).
The contact details of our data protection officer (if applicable).
The purposes of the processing.
The lawful basis for the processing.
The right of access
Individuals have the right to access their personal data.
This is commonly referred to as subject access.
Individuals can make a subject access request verbally or in writing.
We have one month to respond to a request.
We cannot charge a fee to deal with a request in most circumstances.
The right to rectification
The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
An individual can make a request for rectification verbally or in writing.
We have one calendar month to respond to a request.
In certain circumstances we can refuse a request for rectification.
The right to erasure (the right to be forgotten)
The GDPR introduces a right for individuals to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten’.
Individuals can make a request for erasure verbally or in writing.
We have one month to respond to a request.
The right is not absolute and only applies in certain circumstances.
This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.
The right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data.
This is not an absolute right and only applies in certain circumstances.
When processing is restricted, we are permitted to store the personal data, but not use it.
An individual can make a request for restriction verbally or in writing.
We have one calendar month to respond to a request.
The right to data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
The right only applies to information an individual has provided to a controller.
The right to object
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
Individuals have an absolute right to stop their data being used for direct marketing.
In other cases where the right to object applies, we may be able to continue processing if we can show that we have a compelling reason for doing so.
We must tell individuals about their right to object.
An individual can make an objection verbally or in writing.
Rights in relation to automated decision making and profiling
Individuals have the right not to be subject to a decision when:
• It is based on automated processing, and
• It produces a legal effect or a similarly significant effect on them. - Define key terms
To ensure the company understands its obligations to the protection of Personal Information, the following definitions apply and are based on current understanding of these terms within UK and European law, and specifically in Article 4 of GDPR.
Personal Data
Any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Sensitive Personal Data
Personal Data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Sensitive Personal Data includes Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Controller
The natural or legal person, public authority, agency, or any other body, which alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Data Processor
A natural or legal person, public authority, agency, or any other body which processes Personal Data on behalf of a Data Controller.
Processing
An operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of the data.
Anonymisation
Irreversibly de-identifying Personal Data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The Personal Data processing principles do not apply to anonymized data as it is no longer Personal Data.
How to Implement It
To put the policy into action, you need to tell everyone in the company about it. Train your employees on the rules and how to follow them. Make sure you have the right tools and technology to support the policy, like password managers or antivirus software. Check regularly to see if the policy is being followed and if it is still working.
Examples of Using It for Small Business
- Customer data: You might have a rule that says you must delete customer data after two years.
- Credit card information: The policy would tell you to never write down credit card numbers.
- Employee files: It would state that only HR can look at employee personal files.
Examples of Using It for Tech Startups
- Code security: Your policy could require all new code to be checked for security problems before it is used.
- Developer access: You might have a rule that developers can only access the data they need for their job, and nothing more.
- User data: The policy would require you to use special tools to keep user data private and anonymous.
Examples of Using It for AI Companies
- Training data: The policy would require you to clean and anonymise the data you use to train your AI models.
- AI model access: You might have a rule that only certain people can access your most important AI models.
- Security of intellectual property: The policy would outline how to protect your unique AI algorithms from being stolen.
How the ISO 27001 Toolkit Can Help
An ISO 27001 toolkit is a collection of documents, guides, and templates. It can help you put your data protection policy into practice. The toolkit helps you organise your security efforts and make sure you follow all the rules of the ISO 27001 standard.
Information Security Standards That Need It
This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of Relevant ISO 27001:2022 Controls
The ISO/IEC 27001:2022 standard has many controls, which are like specific rules. Here are a few that are important for data protection:
- ISO 27001:2022 Annex A 5.34 Privacy and protection of PII
- ISO 27001:2022 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements
- ISO 27001:2022 Annex A 8.10 Information Deletion
- ISO 27001:2022 Annex A 8.11 Data Masking
- ISO 27001:2022 Annex A 8.12 Data Leakage Prevention
ISO 27001 Data Protection Policy Example
An example ISO 27001:2022 Data Protection Policy:
ISO 27001 Data Protection Policy FAQ
It’s a formal set of rules that helps your company manage and protect sensitive data. The policy helps ensure that data is handled correctly and securely.
It helps you protect your business from cyber threats and data leaks. Having a policy shows customers and partners that you take data security seriously.
Yes, it does! ISO 27001 gives you a strong framework to manage data security. This makes it much easier to meet the strict rules of the GDPR and other privacy laws.
Everyone in the company must follow the policy. This includes all employees, contractors, and even vendors who handle your business’s data.
A data breach is when a person’s private information is accidentally shared or stolen. An example is when a hacker steals customer emails and passwords from a company website.
The data protection policy has a clear plan for what to do. You must report the issue right away. You will then follow our steps to contain the breach and notify anyone who may be affected.
Personal data is any information that can identify a living person. Things like a name, address, email, or a photo are all types of personal data.
The main goals are to keep information confidential, to make sure data is not changed incorrectly (integrity), and to ensure data is always available to those who need it.
Yes, all employees must get trained. Training helps everyone understand the rules and their role in keeping our company data safe.
You review the policy at least once a year. This makes sure it stays current with new laws and new security threats.
An ISMS is an Information Security Management System. It’s a set of processes, policies, and systems that help a company manage its data risks. ISO 27001 is the standard for building a good ISMS.
You can only share customer data when you have a good reason to do so. This reason must be clear and based on law or a valid business need.
You destroy old data in a safe way so it can’t be recovered. This includes shredding paper documents and wiping digital files clean.
A risk assessment is a review of our systems and processes to find any weak spots. You then plan how to fix those problems to protect our data better.
Breaking the policy can lead to disciplinary action. It is very important that everyone follows the rules to keep our data secure.
