Data Protection Policy
We recommend that businesses should have a Data Protection Policy in place.
This Policy will set out how your organisation will protect personal data, describing the processes that you and your staff will follow.
The Data Protection Policy should not be confused with the ‘Privacy Notice’ or ‘Privacy Policy’, as this is an internal document that will describe the policies and procedures that you have in place to ensure the protection of personal data.
Why have a Data Protection Policy?
GDPR does not specify that an organisation must have a Data Protection Policy. However, GDPR does require that most organisations document their data processing activities to some extent; there are a number of exemptions for organisations employing fewer than 250 people.
The sheer volume of record-keeping that is required by GDPR will be made significantly easier with the introduction a Policy. The Policy can be used to define how you:
- Collate accurate records of your data holdings, ensuring that the legal basis for all has been accurately identified and recorded
- Maintain records for ‘Consent’
- Keep records for Legitimate Interest Assessments
- Comply with retention guidelines
- Ensure Privacy by Design
- Respond to Subject Access requests
- React to Data Breaches
- Maintain responsibilities and authorities for data protection activities across your organisation
- Maintain records required for demonstrating compliance with any data protection legislation
This list is not exhaustive, but it gives some key aspects for your Policy. The Information Commissioner’s Office make further suggestions for the documentation that needs to be maintained.
For further guidance, contact Cambridge Risk Solutions for support.
We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.
How Can Cambridge Risk Solutions Help?
Cambridge Risk Solutions provides a range of services to assist with the implementation of effective Data Protection policies and procedures, and have an experienced Certified Data Protection Officer who can assist with your data protection compliance.
View some case studies of recent Data Protection projects.