Internal Data Protection Policies
A number of policy documents may be employed to assist in data protection compliance. Some, like a privacy policy, will be external or customer-facing. These are designed to explain to third parties what you do with their personal data and, in many cases, what their rights are.
Other policies will be internal, designed to educate and inform everyone within your organisation about the rules which apply to their work. A data protection policy is one such internal policy.
A data protection policy should set out the principles and obligations governing your business’s use of personal data, explaining what data is collected, what for, how it is used, the technical and organisational measures for protecting it when it is being processed, stored, transferred, and so on.
Document Templates Available
A range of different Data Protection Policy templates is available:
- The Standard Data Protection Policy is broad in application and well-suited to many types of personal data, including that relating to customers and business contacts such as contractors and suppliers. It is highly detailed and reproduces key parts of the UK GDPR to assist in training and awareness.
- A Short-Form Data Protection Policy is also available. This follows the same basic structure as the standard policy described above, but certain sections are simplified and refer to separate policies for more detail.
- The COVID-19 pandemic saw a huge increase in home working and many continue to work from home on either a full or part-time basis. The Home Working Data Protection Policy is based on the standard policy and adds a number of useful provisions to make it more suitable for home working. Home working inevitably poses higher risks where personal data is concerned. Home Wi-Fi networks and, in some cases, personal IT equipment may often not be as secure as their office counterparts. This policy aims to address such matters.
- The Employee Data Protection Policy is tailored for use with personal data relating only to your staff. It is based, again, on the standard policy, but has been designed with a more limited scope in mind.
- A Short-Form Employee Data Protection Policy is also available. This document is similarly limited to personal data relating to employees and, like its more general counterpart, leaves some more detailed sections to other policies.
Additional Policy Templates
The following templates may also be useful alongside one of the Data Protection Policies above:
- The IT Security Policy covers a broad range of security measures (mostly technical, but also organisational) designed to support good data protection practice.
- The Data Security Policy is based on the IT Security Policy, but extends beyond IT systems and data stored electronically to cover a wider range of data, including that stored in hardcopy form.
- The Data Handling Policy is a simpler document, designed to work alongside a larger, more detailed Data Protection Policy. It is designed to serve more as a quick reference for staff handling personal data. In essence, it is a helpful list of “do’s and don’ts”.