Data Protection Policy

Responsibility

GDPR introduces the concept of a Data Protection Officer, which is an official role with certain legal responsibilities attached to it. Small organisations are unlikely to need a Data Protection Officer but their Data Protection Policy should specify who in the organisation is responsible for data protection.

Review

The policy should state how regularly it is reviewed and should note the date of the latest review.

Data definition

What data is covered by the policy?

Breach reporting

What will happen if there is a breach?

Lawful, fair and transparent processing
Data audit

What data are you storing and where? How often, in what format? The policy should explain how you as an organisation will keep tabs on all the data you store. This may be listed in the policy or in a supporting document.

Disclosure

What to do if an individual asks to see their data.

Purpose limitations
All data collected must be justified on the basis of one of the lawful purposes. This may be listed in the policy or in a supporting document. Where consent is relied upon, how is this tracked and what is the process of it being revoked.

Data minimisation
How will you ensure that you are collecting the minimum amount of data for your lawful purposes?

Accuracy
How will you review data periodically or otherwise ensure accuracy?

Storage limitations
What will you retain, for how long and why? What will you remove and how often / when will you do this?

Integrity and confidentiality
What measures are in place to protect data that is held within the organisation’s systems. Do you take back-ups? If so how often and how long do you keep them for?

Back to top
Select your currency