Data protection

The General Data Protection Regulation (GDPR) is now in force. It presents the most significant change to EU data protection in 20 years, meaning organisations have had to update their policies to ensure they are compliant. Further, all staff who are involved in the processing and storing of data must be familiar with their organisation’s data protection policy. We have therefore provided a data protection policy template to help your staff understand and follow your organisation’s data protection procedures.

Download GDPR policy template

Learn more: The GDPR resource page

GDPR policies and procedures

The General Data Protection Regulation (GDPR) is an EU regulation on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law. Its reach also extends to the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to widen individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.

The General Data Protection Regulation (GDPR) was a major shakeup in data protection laws. GDPR’s reach is global. Any company that offers goods or services to anyone in the EU or UK may be required to comply.

The GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, and leaves room for certain aspects of the regulation to be amended by individual member states.

Many other countries around the world used the EU’s GDPR as a model to make similar regulations. These countries include Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina and Kenya. 

In the post-Brexit UK, GDPR is known as UK GDPR. UK-based organisations processing data of EU residents must comply with EU GDPR, just as EU organisations processing the data of British residents must comply with UK GDPR.

UK GDPR and EU GDPR are essentially the same; except UK GDPR refers to British institutions such as the Information Commissioners Office, as opposed to EU institutions.

The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.

What should a data protection policy include?

Who is responsible for the data protection policy?

Staff should know who to approach if they have any questions regarding the data protection policy or anything related to the processing of personal data. Under GDPR, certain organisations are required to appoint a Data Protection Officer (DPO). It will be their role to advise the company on the rules needed to ensure compliance with data protection laws.

The organisation’s procedure for processing data

It is vital that staff are aware of how to process data. This includes understanding the responsibilities of the DPO and the heads of other departments involved in processing data. For example, the responsibilities of the IT Manager and Marketing Manager should be defined here.

The organisation’s policy on processing special categories personal data

Staff should be made aware of how to identify special categories of personal information and how to process it lawfully and according to the company policy.

Subject access requests

Your data protection policy should clearly define what a subject access request is and how to process such requests.

The process for reporting breaches in data protection

All staff members have an obligation to report data protection breaches or contact the DPO if they have concerns of such a breach. This will allow the appropriate personnel to investigate further and take the appropriate steps to fix the issue in a timely manner.

Staff training

Staff should be aware of the training in data protection and GDPR they are required to undertake. It should be clear how the training will be delivered and how often they need to train.

Privacy notice

How do you collect data and what do you do with it once it is collected? A privacy notice should be published on your company’s website. It advises consumers and staff what the collected data is being used for, how long it is kept for and who it will be shared with.

What are the consequences of failing to comply with the data protection policy?

There should be a clear understanding of the consequences of failing to comply with the policy. This should be decided by the organisation, but must reflect the importance of processing personal data lawfully.

Download our GDPR ready data protection policy template

Whether you have not yet produced a data protection policy or need to update your existing policy to make it relevant to GDPR, our template will help you understand what should be included in the policy. The template can easily be edited to suit your business, staff roles and industry, and can be downloaded by filling in the form below.

Online GDPR training

The online GDPR course teaches users about their requirements under the General Data Protection Regulation (GDPR). It provides real-world scenarios, interactive features and review questions to test understanding of key points. By completing this course users will learn how to comply with GDPR, wherever they are in the world, including the US, the UK and Europe. Learn more about GDPR training.