Data protection policies and procedures

Why your company needs them, and what they should include

Blue padlocks surrounding a red unlocked padlock

Regardless of which industry within which you operate, you must ensure that your organisation has devised a set of formalised data protection policies and procedures. Doing so will ensure that you’re fully capable of protecting the information of employees, partners, customers, and all other parties whose data you hold.

The Data Protection Act 1998 was the main data protection-centric legislation in the UK until the introduction of GDPR, which came into force in May 2018. The EU regulations formed the basis of the Data Protection Act 2018, which contained many new provisions designed to modernised data protection standards.

If your organisation fails to comply with the regulations, it may be investigated by the Information Commissioner’s Office (ICO), and be subject to punitive action, ranging from a directive to fines large enough to see the owners of massive multinational corporations wince.

These laws exist to protect individuals from the threat of their personal being misused or seized by cyber criminals. With technology becoming increasingly available and more advanced, and with more of our lives taking place online, these risks are only escalating. Following the law should be enough of an incentive to establish a clear set of data protection policies and procedures, but there are plenty of other reasons why you would want to do so too.

Why a company needs data protection policies and procedures

It's not only important that your business has a formalised set of policies and procedures in place to ensure you meet requirements as set out under GDPR, but it also contributes massively to the general information security regime of your business.

Meeting the requirements as set out under the latest data protection regulations is essential, and your organisation could face fines of 20 million up to 4% of annual turnover if found not to be compliant. Beyond that, however, not having policies and procedures in place could mean that you risk reputational damage. Employees, for example, might be disinclined from seeking opportunities with you, and customers could be reluctant to seek out your services if you've carved a reputation for not taking data protection seriously.

What a data protection policy and procedure should contain

Your company's data protection policy and procedure should be created to suit your specific business. For example, you will need to state what your employee data policies and procedures are, but there's no point stating what you will do with customer data if you don't collect it.

Although the GDPR makes many changes to the DPA principles, they are in line with the original guidelines and so any policy addressing the original data legislation is a good place to start. These state data held by a company must:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected.

That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems.

The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Tens of thousands of Pennsylvanians health data exposed following data breach
data protection

Tens of thousands of Pennsylvanians health data exposed following data breach

4 May 2021
Cost of a data breach report 2020
Whitepaper

Cost of a data breach report 2020

30 Apr 2021
Reverb exposes 'millions' of customer records on unsecured server
data protection

Reverb exposes 'millions' of customer records on unsecured server

27 Apr 2021
BigID launches freemium privacy management tool for SMBs
data protection

BigID launches freemium privacy management tool for SMBs

26 Apr 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021