What is a GDPR data protection policy?

Article 24 of the GDPR states that data controllers must implement “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation”.

These measures “shall include the implementation of appropriate data protection policies by the controller”.

Policies are high-level internal documents that set principles, rather than details of how, what and when things should be done – which are covered by procedures.

Policies must:

  • Be capable of implementation and enforceable;
  • Be concise and easy to understand; and
  • Balance protection with productivity.

Who should have a data protection policy?

Every organisation that processes personal data should have a data protection policy.

What should a GDPR data protection policy say?

The accountability principle set out in Article 5 is key to GDPR compliance. It holds that data controllers must not only comply, but also be able to demonstrate their compliance with, six data processing principles.

These state that personal data must be:

  • Processed lawfully, fairly and transparently;
  • Collected only for specific legitimate purposes;
  • Adequate, relevant and limited to what is necessary;
  • Accurate and, where necessary, kept up to date;
  • Stored only as long as is necessary; and
  • Processed in a manner that ensures appropriate security.

A data protection policy should therefore set out how your organisation will comply with these obligations.

As a high-level document, it needn’t go into detail, but we recommend it includes:

  • Topics covered by the policy;
  • Reasons the policy is needed;
  • Contacts and responsibilities;
  • Objectives; and
  • How to handle violations.

For example, your data protection policy might include instructions for staff involved in collecting client data, specifying that they only collect the minimal amount required.

As well as guiding your organisation’s compliance with the GDPR, your data protection policy will demonstrate to the Information Commissioner’s Office that you are making every effort to comply with the law if it has to investigate a data breach.

Our web site does not collect personal data for advertising or any other kind of e-marketing.

We are not use newsletter.

If you subscribe to our site your email and your information will be kept safe just for personal statistic usage and only, if you wish to delete from our site all your data that you enter to subscription will be deleted 

  • user name and password
  • Email
  • *Shipping Address (only if have made an order from our web site)