This article offers guidance on How to Write a GDPR Data Protection Policy based on the General Data Protection Regulation (GDPR) including numerous documentation requirements for those obligated under the Regulation. Measures and controls that demonstrate compliance will need to be recorded; with some being included in an organisation’s data protection policies and procedures.
What is a Data Protection Policy?
The GDPR advises that controllers must implement appropriate technical and organisational measures to comply with the GDPR; with those measures being reviewed and updated where necessary. Article 24(2) notes that “Where proportionate in relation to processing activities, the measures […] shall include the implementation of appropriate data protection policies”.
A policy usually outlines an organisation’s intent, principles, objectives and guidelines for achieving specified goals in relation to the policy topic. Procedures are the steps and actions that enable the organisation to achieve those objectives and comply with any legislation or regulations. Policies and procedures are designed to influence business functions, decisions and actions.
When considering how to write a GDPR data protection policy, you can have a standalone Data Protection Policy, with measures, controls and procedures being included in other procedural documents; or you can develop a Data Protection Policy & Procedures covering both aspects. As the GDPR covers such vast areas for data protection compliance; it is a good idea to have separate policies and procedures for areas such as data breaches, retention, transfers and subject rights.
What to Include in your Data Protection Policy
Whilst every company creates their policies in a bespoke manner, how to write a GDPR data protection policy should include content and objectives specific to their industry and business type; the GDPR specifies a large array of areas that must be complied with and documented; which can form the basis for your GDPR policy template.
Common sections for a Data Protection Policy Template include:-
- Purpose and Policy Statement
The GDPR procedures should provide the processes (or a summary if the full process is documented elsewhere) for complying with the GDPR. These can include (but are not limited to): –
- Legal Basis for Processing
- Processing Personal and Special Category Data
- Privacy By Design
- Technical & Organisational Measures
- Records of Processing Activities
- Data Protection Officer
- Subject Access Rights
- Privacy Notices
- International Transfers
- Data Retention & Schedule
- Data Breaches
- Data Protection Impact Assessments
Help with your GDPR Data Protection Policy Template
Some organisations are utilising their existing Data Protection Policy and are updating to comply with the GDPR and Data Protection Bill; with others are starting from scratch and creating data protection policies and procedures that meet the new requirements and legislation.
If you are unsure of how to develop your Data Protection Policy or are looking for ready-to-use templates that is fully customisable; our GDPR Documentation Toolkit and GDPR document bundles all contain our extensive Data Protection Policy & Procedures, along with bespoke policies for retention, breaches, transfers, DPO duties, Privacy Notices and much more.
Visit our GDPR Toolkit comparison page to see what is included in each set and how our straightforward, customisable GDPR documentation templates can save you time and money in your GDPR implementation and preparation. Our documents are used by thousands of organisations, from global names, univeristies, the NHS and government sectors; through to micro-businesses and SME’s.