Data protection policies under the GDPR
The GDPR states that “Where proportionate in relation to processing activities, [measures] shall include the implementation of appropriate data protection policies by the controller.”
Policies are high-level documents that define principles. They are statements of what you do not how you do it. How you do it is covered in your process documents that are based on the policy documents.
Why the GDPR? It does not apply to me
The GDPR is considered by many as a gold standard when it comes to data protection. The template is easy to adapt to local laws and regulations but it is generally the case that the document will meet and exceed those requirements, as is. Whether you are processing customer or employee details of members of the EU it is good, best practice and it is quick, simple and easy to implement.
A Data Protection Policy must be:
- Capable of implementation;
- Enforceable; and
- Concise and easy to understand.
Of course, a data protection policy also needs to balance data protection against productivity.
Our customisable Data Protection Policy Template as done the hard work for you. Prewritten and pre-populated it covers the following topics.
Data Protection Policy Template Contents
This is a large document at 17 pages and covers a lot of ground. It comes with a handy and easy to follow guide on how to implement and deploy policies and it includes:
- Document Version Control
- Document Contents
- Data Protection Policy
- Data Protection Policy Statement
- Legal Basis for Processing
- Data protection principles
- Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Storage Period Limitation
- Personal Information Classification and Handling
- Personal Information Retention
- Personal Information Transfer / Transmit
- Personal Information Storage
- The Rights of Data Subjects
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (the right to be forgotten)
- The right to restrict processing
- The right to data Portability
- The right to object
- Rights in relation to automated decision making and profiling
- Personal Data
- Sensitive Personal Data
- Data Controller
- Data Processor
- Policy Compliance
- Compliance Measurement
- Continual Improvement
The policy has appropriate ISO 27001 required document mark up for classification, version control, document owner and last reviewed.