Data protection policies and procedures
Why your company needs them, and what they should include
Regardless of which industry within which you operate, you must ensure that your organisation has devised a set of formalised data protection policies and procedures. Doing so will ensure that you’re fully capable of protecting the information of employees, partners, customers, and all other parties whose data you hold.
The Data Protection Act 1998 was the main data protection-centric legislation in the UK until the introduction of GDPR, which came into force in May 2018. The EU regulations formed the basis of the Data Protection Act 2018, which contained many new provisions designed to modernised data protection standards.
If your organisation fails to comply with the regulations, it may be investigated by the Information Commissioner’s Office (ICO), and be subject to punitive action, ranging from a directive to fines large enough to see the owners of massive multinational corporations wince.
These laws exist to protect individuals from the threat of their personal being misused or seized by cyber criminals. With technology becoming increasingly available and more advanced, and with more of our lives taking place online, these risks are only escalating. Following the law should be enough of an incentive to establish a clear set of data protection policies and procedures, but there are plenty of other reasons why you would want to do so too.
Why a company needs data protection policies and procedures
It's not only important that your business has a formalised set of policies and procedures in place to ensure you meet requirements as set out under GDPR, but it also contributes massively to the general information security regime of your business.
Meeting the requirements as set out under the latest data protection regulations is essential, and your organisation could face fines of €20 million up to 4% of annual turnover if found not to be compliant. Beyond that, however, not having policies and procedures in place could mean that you risk reputational damage. Employees, for example, might be disinclined from seeking opportunities with you, and customers could be reluctant to seek out your services if you've carved a reputation for not taking data protection seriously.
What a data protection policy and procedure should contain
Your company's data protection policy and procedure should be created to suit your specific business. For example, you will need to state what your employee data policies and procedures are, but there's no point stating what you will do with customer data if you don't collect it.
Although the GDPR makes many changes to the DPA principles, they are in line with the original guidelines and so any policy addressing the original data legislation is a good place to start. These state data held by a company must:
- Be obtained and processed fairly and lawfully.
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and kept up to date.
- Not be kept longer than is necessary for that purpose.
- Be processed in accordance with the data subject rights.
- Be kept safe from unauthorised access, accidental loss or destruction.
- Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.
It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected.
That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems.
The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.
BCDR buyer's guide for MSPs
How to choose a business continuity and disaster recovery solutionDownload now
The definitive guide to IT security
Protecting your MSP and your customersDownload now
Cost of a data breach report 2020
Find out what factors help mitigate breach costsDownload now
The complete guide to changing your phone system provider
Optimise your phone system for better business resultsDownload now