If your organisation collects EU resident’s personal data, you need to comply with the EU General Data Protection Regulation (GDPR). This law, which comes into effect on 25 May 2018, strengthens EU residents’ rights related to data collection and introduces strict rules on the way that personal data should be handled. It applies to any organisation in the world that handles such data, meaning many organisations in the Gulf region will be affected.
To achieve compliance, you will need to document your processes. This means creating a data protection policy. In this blog, we explain what a data protection policy is, what it needs to include and how template documents can make the job easier.
What is a data protection policy?
Article 24 of the GDPR states that “[w]here proportionate in relation to processing activities, […] measures […] shall include the implementation of appropriate data protection policies by the controller”.
It’s important to note the difference between policies and procedures. Policies are high-level documents that set principles, whereas procedures detail how, what and when things should be done.
A policy must:
- Be concise and easy to understand;
- Be implementable and enforceable; and
- Balance protection and productivity.
It also needs to specifically outline:
- The topics covered;
- The reasons why it is necessary;
- Its objectives;
- Contacts and responsibilities; and
- How to handle violations.
For example, your policy might include instructions for staff who collect client data, specifying that they only collect as much data as is necessary for their task.
Using a template to create your data protection policy
Knowing where to begin when creating a data protection policy can be difficult, particularly if you’re part of a large organisation with many objectives, contacts and responsibilities. That’s where our EU GDPR Documentation Toolkit comes in.
This toolkit has been designed and developed by expert GDPR practitioners, and has been used by thousands of organisations across the globe. It includes:
- A complete set of easy-to-use and customisable documentation toolkits, saving you time and money in your compliance preparations;
- Dashboards and project tools to make sure you cover every documentation requirement;
- Direction and guidance from GDPR experts; and
- Two licences for the GDPR Staff Awareness E-learning Course.
Unsure what the GDPR involves?
It will be hard to document your compliance with the GDPR if you aren’t completely aware of the Regulation’s requirements. The longer you leave it to educate yourself, the greater risk you’re putting your organisation at.
The GDPR is a complex law, but if you take the time to study it, you will experience long-term benefits. Our certified Foundation-level online training course explains everything you need to know about the GDPR, including the key concepts and terminology, data subjects’ rights and the requirements you need to meet.
It’s ideal for managers involved in or responsible for GDPR compliance, and individuals looking to begin or develop their career in information security.