How to Build a GDPR-Compliant Data Protection Policy

Since the General Data Protection Regulation (GDPR) came blazing into existence last year, most companies have at least updated their Privacy Policies and consent acquisition practices. These changes are barely scratching the surface, however. There's a lot more to GDPR compliance than privacy and consent measures.

For example, have you trained your employees on data protection measures? Do you approach new business ventures from a Privacy by Design standpoint? If not, then your data protection measures may be lacking, and you could be leaving your business open to privacy disputes or infringement accusations.

One way to ensure that your business practices and employees are following GDPR-compliant data standards is by writing a Data Protection Policy.

What's the Difference between a Data Protection Policy and a Privacy Policy?

Especially in the United States, Data Protection Policies (DPPs) are not as common as Privacy Policies, and many business owners still confuse the two. These are two very different documents, however, with very different purposes.

As you probably know, a Privacy Policy is a public document that explains to customers and consumers how you collect and process their data. It is required by law under most privacy regulations.

A Data Protection Policy, on the other hand, is an internal document that is written in order to establish company-wide data protection policies. This document is made available to all employees - most especially those that handle or process consumer data - so that everyone in the company understands the importance of data protection and security. They can also be made public.

An added benefit of a well-maintained DPP is that it can serve as a demonstration of your business's commitment to privacy and data protection. If ever a privacy or data protection dispute does arise, you can exhibit your DPP to supervisory authorities as evidence of your company's commitment to maintaining compliant data protection practices.

Although a DPP is not required by law, it is a recommended step for any company that wishes to demonstrate GDPR compliance.

Does my Company Need a Data Protection Policy?

In general, if your company collects personal data and allows more than one employee to handle or process that data, it is recommended that you maintain a compliant DPP.

You may assume that this only applies to companies located in the European Union, but that is not the case. Remember: any company that collects data from a European resident will be required to uphold GDPR requirements for that data.

According to GDPR Article 24:

"Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation."

In other words, you will need to document and demonstrate that your organization processes data in compliance with the GDPR, according to the nature, scope, context, and purposes of your data processing activities.

This is taken to mean that if your company deals with a large quantity of EU consumer data, special categories of data, or if your data processing practices present a risk to the safety or security of personal data, then you must be able to prove that your business maintains GDPR-compliant protection and security measures.

One way to provide documentation of your company's data protection practices is to maintain a Data Protection Policy and train all of your employees on its use.

Conduct a privacy law self-audit so you know exactly what privacy practices your business engages in and what information you need to disclose to your users.

What to Include in a Data Protection Policy

Every business must approach data protection practices in a way that reflects its own individual needs and data processing procedures. For example, any company that collects special categories of data that the GDPR classifies as sensitive information - such as data pertaining to race, religion, sexual orientation, and so on - should include a specific clause within the DPP to address the handling of sensitive categories of data.

Conversely, a company that doesn't handle such data wouldn't need such a clause.

With that being said, below are some general clauses that can be adapted to most types of online businesses.

Introduction & Scope

The first few paragraphs of any DPP should explain the purpose of the document and how it is to be used. This helps employees to understand the significance of the document and why they must become acquainted with the principles laid out therein.

The World Fair Trade Organization begins its DPP with the following paragraphs:

Here, the WFTO begins by justifying its need for a DPP due to the legal requirements laid out by the GDPR. The purpose of the policy - to explain how the WFTO is complying with relevant privacy regulations - is also laid out.

Within the introduction, the WFTO also describes the scope of the policy, explaining which types of data they process and which members of the organization the policy applies to.

Definitions

To avoid potential misunderstandings among staff members, it may be necessary to include a definitions section to define the different terms that are used throughout the document. This will help to ensure that all employees truly understand the directives contained within the DPP.

The UK's Victory Services Club chooses to list the definitions exactly as the GDPR does:

Your own list of definitions may differ according to what types of data you are processing and which clauses you choose to include in the policy.

GDPR Principles

This section is often used as an explanation of the GDPR's expectations when it comes to fundamental data protection principles.

Victory Services Club recounts each of the GDPR requirements for legal data processing as follows:

Other companies choose to reword this list into a more concise format, as NICVA has done here:

Regardless of how you word the list, it is important that your employees understand the standards they will be held to where consumer data is concerned.

Lawfulness of Processing Data

In order for data processing to be considered lawful under the GDPR, it must fall under one of six legal bases. Processing may differ according to which legal basis personal information falls under, so anyone who handles user data should understand which basis it is being processed under.

NICVA explains this statute like so:

Notice how NICVA also touches on consent measures, direct marketing, and special categories of data. By explaining how these concepts interrelate, the potential of data mishandling by uninformed employees is minimized.

The WFTO expands on this section, going on to describe how it handles each lawful basis and when each applies:

Especially if your business collects personal information using several different legal bases, it may be necessary to explain how each applies, as WFTO has done here.

Roles & Responsibilities

This clause addresses the data protection responsibilities of different employees and roles within the organization. It is an opportunity to impress upon employees their accountability for data protection and how these responsibilities affect the company as a whole.

The University College Cork of Ireland outlines how individual responsibilities affect the organization:

It then goes on to describe how different roles within the university should be processing data, and who each department reports to regarding data protection issues:

This section will be necessary when you have several different employees or departments handling personal data. Each department should understand the responsibilities and structure of authority regarding principles of data protection.

Data Breach Notification Procedures

Data breach notification is one of the most important topics of the Data Protection Policy. Every person in your organization should know exactly what to do in the case of a data breach.

The way a data breach is handled will be scrutinized when and if legal allegations are made in response to the breach. Teaching your employees to address breach situations quickly and judiciously could be the difference between a fine and a warning.

The City of London lays out the protocol for any data protection breaches, as well as the consequences of ignoring data protection principles:

You can see in number 39 that employees are told what to do in the event of a breach or suspected breach. This makes it clear to employees what their responsibilities are.

Data Subject Rights

Many DPPs contain a list of EU consumer rights to remind employees of their obligation to fulfill these rights promptly upon request.

NICVA not only lists the EU data subject rights as they appear in the GDPR, but it also describes how these rights are to be fulfilled:

Here you can see how NICVA will respond to data subject requests, as well as who will fulfill those requests, and under what circumstances. This makes it clear to staff members exactly which requests can be made and how to approach such requests when necessary.

Security & Record Keeping

Security measures, data retention practices, and data records all deserve a mention in the DPP. You can wrap this into a single clause, or break it up into different sections as the Victory Services Club has done here:

As you can see, the VSC has described both GDPR requirements and their own standards regarding data security. In the Records Management section, they go over record-keeping policies and, most importantly, data retention practices. This is an important reminder to employees that consumer data may be retained only for as long as necessary to fulfill its original purpose.

Relevant Contact Information

Employees need to know who to call if they have any questions or concerns about data protection. Make sure to include a section with the relevant contact information. This may be a Data Protection Officer or another privacy point-of-contact.

UCC Ireland designates an Information Compliance Manager to fulfill this role:

Note how multiple contact methods are provided, including a telephone number and email address. This makes it easier for contact to be made if needed.

Other Clauses

Some clauses may not be necessary for every business. The topics listed below will only apply to certain businesses. Go through these sections and decide if they apply to your business practices.

Privacy by Design

Privacy by Design (PbD) is an approach to data protection that is addressed from the beginning of a project and considered throughout the design process. If your business designs or manages large-scale projects that involve data processing, the GDPR requires that such projects be approached from a PbD standpoint.

For example, before a large-scale data processing project can be launched, it should be analyzed through a Data Protection Impact Assessment (DPIA).

WFTO includes a simple explanation of this process:

Special Categories of Data

If your business collects sensitive data as defined by the GDPR, extra protection measures will need to be taken and a lot of restrictions go along with it. First, familiarize yourself with all of the requirements for processing sensitive data as laid out in Article 9 of the GDPR, and then you must educate any employees who will be handling such data.

The University of Nottingham lays out which types of sensitive data they process, their legitimate interests in processing it, and the security measures that are expected from anyone processing sensitive data:

Transferring Data Across International Borders

Sometimes it is necessary to transfer personal data across borders in order to process, analyze, or make use of it in other ways. If your business does perform international transfers of data and your employees oversee such transfers, it will be necessary to ensure their awareness of GDPR regulations regarding data transfers.

The TMF Group provides an overview of legal requirements for international data transfers as well as the company's standards and procedures when performing those transfers:

Clauses such as these tend to be fairly standard as international transfer of personal data is regulated.

Beyond Your GDPR Data Protection Policy

Of course, creating a DPP by itself won't be enough to ensure that your staff fully understands the importance of data protection. Schedule periodic training sessions with each department in which your Data Protection Officer or data processing manager educates all employees on these policies.

Make sure your staff understands the consequences and legal ramifications of violating the DPP. These measures will help to prevent potential data protection breaches or GDPR infringement on the part of your employees.

And remember: You can choose to make your DPP public, as all of the mentioned companies and organizations used in this article for example purposes have done. This helps show your customers and the authorities that you have solid data protection practices in place and that your staff and employees are educated and informed about protecting data.