Contents of the Data Protection Policy according to GDPR
Key elements of a Data Protection Policy
Typically, the policy will have these elements:
Purpose of the policy: This part of the policy describes why this policy is being used, and why it is important for the company. Consider this more like the privacy vision of your company.
Definitions of key terms: This part of the policy defines key terms like personal data, special categories of data, etc., in the context of the company. See also: GDPR Glossary.
Principles and purposes of processing: This part of the policy defines the guiding principles for the processing of personal data, and the activities for which personal data can be processed. For example, this may include mapping the company activities to legitimate purposes defined in GDPR. See also: Understanding 6 key GDPR principles.
Key requirements or controls: This part of the policy lists the key requirements that should be fulfilled in order to be considered compliant with the policy. To ensure that employees and managers can validate the fulfilment of a requirement, a set of controls can be provided. For example, to fulfil the requirements of lawful processing, a control should be implemented to ensure that all processing activities are listed and mapped to one of the legitimate purposes defined in the policy.
Key roles and their responsibilities: This part of the policy defines the key roles / stakeholders for ensuring compliance with this policy. This section also outlines the responsibilities of each of the key stakeholders. It is important to note that the responsibilities of employees must also be explicitly stated, so that the employees feel like a part of it. See also: The role of the DPO in light of the General Data Protection Regulation.
Appointment of Lead Supervisory Authority: This part of the policy states who is considered (from the perspective of your company) to be the Lead Supervisory Authority. If your company is based in multiple locations, or operates as different legal entities, it should be specified how the management intends to manage the relationships with different Supervisory Authorities. See also: The obligations of controllers towards Data Protection Authorities according to GDPR.